DAC vs. MAC. Most people familiar with discretionary access control (DAC)

Similar documents
System design issues

DAC vs. MAC. Bell-Lapadula model. Security levels. Security properties. The lattice model top-secret, {Nuclear, Crypto} Straw man MAC implementation

Access Control. Discretionary Access Control

Discretionary Vs. Mandatory

DAC vs. MAC. Most people familiar with discretionary access control (DAC) Discretionary means anyone with access can propagate information:

DAC vs. MAC. Bell-Lapadula model. Security properties. Security levels. Straw man MAC implementation. The lattice model top-secret, {Nuclear, Crypto}

Last time. User Authentication. Security Policies and Models. Beyond passwords Biometrics

1 / Must not leak contents of your files to network - Must not tamper with contents of your files 3 / 42

CCM Lecture 12. Security Model 1: Bell-LaPadula Model

Labels and Information Flow

- Unix permission bits are an example - E.g., might set file private so that only group friends can read it:

Outline. 1 Mandatory access control. 2 Labels and lattices 3 LOMAC. 4 SELinux 1 / 43

Mandatory access control (MAC) can restrict propagation

Security Models Trusted Zones SPRING 2018: GANG WANG

Mandatory access control and information flow control

Complex Access Control. Steven M. Bellovin September 10,

CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:

Asbestos Operating System

Access control models and policies. Tuomas Aura T Information security technology

Chapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao

Access control models and policies

Computer Security. Access control. 5 October 2017

Access Control Models

CSE Computer Security

Access control models and policies

Access Control Mechanisms

Operating System Security. Access control for memory Access control for files, BLP model Access control in Linux file systems (read on your own)

CSCI 420: Mobile Application Security. Lecture 7. Prof. Adwait Nadkarni. Derived from slides by William Enck, Patrick McDaniel and Trent Jaeger

CIS433/533 - Introduction to Computer and Network Security. Access Control

Access Control Part 3 CCM 4350

Access Control (slides based Ch. 4 Gollmann)

Verifiable Security Goals

CSE Computer Security

Lecture 4: Bell LaPadula

CS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES

Explicit Information Flow in the HiStar OS. Nickolai Zeldovich, Silas Boyd-Wickizer, Eddie Kohler, David Mazières

Module 4: Access Control

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Access Control. Access Control: enacting a security policy. COMP 435 Fall 2017 Prof. Cynthia Sturton. Access Control: enacting a security policy

Advanced Systems Security: Multics

Protecting Information Assets - Week 10 - Identity Management and Access Control. MIS 5206 Protecting Information Assets

Discretionary Access Control (DAC)

Data quality attributes in network-centric systems

Information Security Theory vs. Reality

Access Control and Protection

Access Control. Steven M. Bellovin September 13,

Security Architecture

Chapter 6: Integrity Policies

May 1: Integrity Models

CSE543 - Computer and Network Security Module: Virtualization

Intrusion Detection Types

Operating Systems. Week 13 Recitation: Exam 3 Preview Review of Exam 3, Spring Paul Krzyzanowski. Rutgers University.

CS 416: Operating Systems Design April 22, 2015

Computer Security 3e. Dieter Gollmann. Chapter 5: 1

Mandatory Access Control

Access Control. Steven M. Bellovin September 2,

Storage and File System

Table 12.2 Information Elements of a File Directory

Formal methods and access control. Dr. Hale University of Nebraska at Omaha Information Security and Policy Lecture 8

Information Lifecycle Management for Business Data. An Oracle White Paper September 2005

Discretionary Access Control (DAC)

Segmentation with Paging. Review. Segmentation with Page (MULTICS) Segmentation with Page (MULTICS) Segmentation with Page (MULTICS)

COS 318: Operating Systems. File Systems. Topics. Evolved Data Center Storage Hierarchy. Traditional Data Center Storage Hierarchy

Advanced Systems Security: Ordinary Operating Systems

SELinux. Don Porter CSE 506

Access Control. Chester Rebeiro. Indian Institute of Technology Madras

Chapter 7: Hybrid Policies

DATABASE SECURITY AND PRIVACY. Some slides were taken from Database Access Control Tutorial, Lars Olson, UIUC CS463, Computer Security

19.1. Security must consider external environment of the system, and protect it from:

Exercises with solutions, Set 3

Summary. Final Week. CNT-4403: 21.April

Access Control. CMPSC Spring 2012 Introduction Computer and Network Security Professor Jaeger.

Security Principles and Policies CS 136 Computer Security Peter Reiher January 15, 2008

Chapter 15: Information Flow

Operating Systems Security Access Control

Protection Kevin Webb Swarthmore College April 19, 2018

Advanced Systems Security: Security Goals

CS140 Operating Systems Final Review. Mar. 13 th, 2009 Derrick Isaacson

Dion Model. Objects and their classification

Operating Systems Design Exam 3 Review: Spring 2011

Lecture 21. Isolation: virtual machines, sandboxes Covert channels. The pump Why assurance? Trust and assurance Life cycle and assurance

ECE 598 Advanced Operating Systems Lecture 22

CS 161 Multilevel & Database Security. Military models of security

CSE380 - Operating Systems

Chapter 4: Access Control

A Survey of Access Control Policies. Amanda Crowell

General Access Control Model for DAC

File. File System Implementation. File Metadata. File System Implementation. Direct Memory Access Cont. Hardware background: Direct Memory Access

Memory management. Last modified: Adaptation of Silberschatz, Galvin, Gagne slides for the textbook Applied Operating Systems Concepts

CSE361 Web Security. Access Control. Nick Nikiforakis

Chapter 8: Main Memory

Access Control Part 1 CCM 4350

Policy, Models, and Trust

Multifactor authentication:

CS 147: Computer Systems Performance Analysis

Advanced Systems Security: Integrity

Instructor: Jinze Liu. Fall 2008

We ve seen: Protection: ACLs, Capabilities, and More. Access control. Principle of Least Privilege. ? Resource. What makes it hard?

Chapter 8: Memory-Management Strategies

Chapter 4. Protection in General-Purpose Operating Systems. ch. 4 1

Transcription:

p. 1/1 DAC vs. MAC Most people familiar with discretionary access control (DAC) - Example: Unix user-group-other permission bits - Might set a fileprivate so only groupfriends can read it Discretionary means anyone with access can propagate information: - Mail sigint@enemy.gov < private Mandatory access control - Security administrator can restrict propagation - Abbreviated MAC (NOT a message authentication code)

p. 2/1 Bell-Lapadula model View the system as subjects accessing objects - The system input is requests, the output is decisions - Objects can be organized in one or more hierarchies, H (a tree enforcing the type of decendents) Four modes of access are possible: - execute no observation or alteration - read observation - append alteration - write both observation and modification The current access set, b, is (subj, obj, attr) tripples An access matrix M encodes permissible access types (subjects are rows, objects columns)

p. 3/1 Security levels A security level is a (c, s) pair: - c = classification E.g., unclassified, secret, top secret - s = category-set E.g., Nuclear, Crypto (c 1, s 1 ) dominates (c 2, s 2 ) iff c 1 c 2 and s 2 s 1 - L 1 dominates L 2 sometimes written L 1 L 2 or L 2 L 1 Subjects and objects are assigned security levels - level(s), level(o) security level of subject/object - current-level(s) subject may operate at lower level - level(s) bounds current-level(s) (current-level(s) level(s)) - Since level(s) is max, sometimes called S s clearance

p. 4/1 Label lattice A lattice is a set and a partial order such that any two elements have a least upper bound - I.e., given any x and y, there exists a unique z such that - x z and y z (z is an upper bound) - For any z such that x z and y z, z z (z is minimal) - Least upper bound (lub) z of x and y usually written z = x y Security levels form a lattice under What s lub of Bell-Lapadula labels (c 1, s 1 ) and (c 2, s 2 )?

p. 4/1 Label lattice A lattice is a set and a partial order such that any two elements have a least upper bound - I.e., given any x and y, there exists a unique z such that - x z and y z (z is an upper bound) - For any z such that x z and y z, z z (z is minimal) - Least upper bound (lub) z of x and y usually written z = x y Security levels form a lattice under What s lub of Bell-Lapadula labels (c 1, s 1 ) and (c 2, s 2 )? - (max(c 1, c 2 ), s 1 s 2 ) - I.e., higher of two classification levels, plus all categories in either label

p. 5/1 Security properties The simple security or ss-property: - For any (S, O, A) b, if A includes observation, then level(s) must dominate level(o) - E.g., an unclassified user cannot read a top-secret document The star security or *-property: - If a subject can observe O 1 and modify O 2, then level(o 2 ) dominates level(o 1 ) - E.g., cannot copy top secret file into secret file - More precisely, given (S, O, A) b: if A = r then current-level(s) level(o) ( no read up ) if A = a then current-level(s) level(o) ( no write down ) if A = w then current-level(s) = level (O)

p. 6/1 Example lattice top-secret, {Nuclear, Crypto} top-secret, {Nuclear} top-secret, {Crypto} top-secret, X X secret, {Nuclear} secret, {Crypto} secret, X L 1 L 1 means L 1 L 2 unclassified, Information can only flow up the lattice - No read up, no write down

p. 7/1 Straw man MAC implementation Take an ordinary Unix system Put labels on all files and directories to track levels Each user U has a security clearance (level(u)) Determine current security level dynamically - When U logs in, start with lowest curent-level - Increase current-level as higher-level files are observed (sometimes called a floating label system) - If U s level does not dominate current, kill program - If program writes to file it doesn t dominate, kill it Is this secure?

p. 8/1 No: Covert channels System rife with storage channels - Low current-level process executes another program - New program reads sensitive file, gets high current-level - High program exploits covert channels to pass data to low E.g., High program inherits file descriptor - Can pass 4-bytes of information to low prog. in file offset Labels themselves can be a storage channel - Arrange to raise process p i s label to communicate i - One reason why static analysis of programming languages is appealing (labels checked at compile time no covert channel) Other storage channels: - Exit value, signals, terminal escape codes,... If we eliminate storage channels, is system secure?

p. 9/1 No: Timing channels Example: CPU utilization - To send a 0 bit, use 100% of CPU in a busy-loop - To send a 1 bit, sleep and relinquish CPU - Repeat to transfer more bits, maybe with error correction Example: Resource exhaustion - High prog. allocate all physical memory if bit is 1 - If low prog. slow from paging, knows less memory available More examples: Disk head position, processor cache/tlb polution,... - In fact, blurry line between storage & timing channels - E.g., might affect the order or two low FS operations

p. 10/1 Reducing covert channels Observation: Covert channels come from sharing - If you have no shared resources, no covert channels - Extreme example: Just use two computers Problem: Sharing needed - E.g., read unclassified data when preparing classified Approach: Strict partitioning of resources - Strictly partition and schedule resources between levels - Occasionally reapportion resources based on usage - Do so infrequently to bound leaked information - In general, only hope to bound bandwidth of covert channels - Approach still not so good if many security levels possible

p. 11/1 Declassification Sometimes need to prepare unclassified report from classified data Declassification happens outside of system - Present file to security officer for downgrade Job of declassification often not trivial - E.g., Microsoft word saves a lot of undo information - This might be all the secret stuff you cut from document

p. 12/1 Biba integrity model Problem: How to protect integrity - Suppose text editor gets trojaned, subtly modifies files, might mess up attack plans Observation: Integrity is the converse of secrecy - In secrecy, want to avoid writing less secret files - In integrity, want to avoid writing higher-integrity files Use integrity hierarchy parallel to secrecy one - Now security level is a (c, s, i) triple, i =integrity - Only trusted users can operate at low integrity levels - If you read less authentic data, your current integrity level gets raised, and you can no longer write low files

p. 13/1 Generalizing the lattice Now say (c 1, s 1, i 1 ) (c 2, s 2, i 2 ) iff: - As before, c 1 c 2 and s 1 s 2 - In addition, require i 1 i 2 In general, say S 1 is labeled L 1, S 2 L 2, and L 1 L 2 - Neither S 1 nor S 2 is more privileged than the other - S 1 can write more objects (including any S 2 can) - S 2 can read more objects (including any S 1 can) - Information can flow from S 1 to S 2, but not necessarily vice versa Privilege comes from the ability to declassify - I.e., read object labeled L 2, write object labeled L 1 when L 2 L 1

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback