150 likes | 161 Views
This text provides a detailed explanation of two types of information security policies: confidentiality policies, which focus on protecting sensitive information, and integrity policies, which ensure the accuracy and reliability of data.
E N D
ITIS 3200:Introduction to Information Security and Privacy Dr. Weichao Wang
More details about two types of policies • In previous chapter, we say that there are two types of policies: confidentiality and integrity policies. Here we will provide more details for each type • Confidentiality policies: emphasize the protection of confidentiality. • Also called information flow policy • Prevent unauthorized disclosure of information • Example: Bell-LaPadula model
Bell-LaPadula model: • One sentence description: no read up and no write down • Informal description • The simplest type of confidentiality classification is a set of security clearances arranged in ordering • A subject has a “security clearance” • An object has a “security classification” • Goal: prevent a subject with low clearance from reading objects at high classification
The Bell-LaPadula model combine mandatory and discretionary AC • Simple security condition (in plain English): S can read O if and only if the classification of O is NOT higher than clearance of S, and S has discretionary read access to O. • Why do we need another rule? • Star-property (*-property in plain English): S can write O if and only if the classification of O is NOT lower than clearance of S, and S has discretionary write access to O.
Look at the example we provide: • Claire cannot read personnel file • Tamara can read anything if she has the discretionary read right • Tamara cannot write an activity log file • Basic security theorem (in plain English): A system has a secure initial state σ0, and a set of state transformations. If every transformation preserves the simple security condition and the star property, then every state σi is secure.
Security clearance and classification provide one dimensional control for access, how can we control access to information at the same level? • Discretionary (it works, too much overhead) • Introduce a second dimension: category • Each category describes a kind of information. Both subjects and objects can be in multiple categories.
Now every subject and object needs to be described by a two dimensional entry • Captain John Wayne: (Confidential, {army}) • Pres. Obama: (TS, {army, navy, air force}) • Lunch menu for Easy Company: (c, {army}) • Plan to attack xxxx: (TS, {army, navy, air}) • If S has the categories {army, navy}, she can read objects with {}, {army}, {navy}, and {army, navy} if the clearance and discretionary rights allow him/her to do so.
Now we have to redefine the confidentiality policies • Definition: a security level (l, c) dominates the security level (l’, c’) if and only if l’ ≤ l and c’ is a subset of c. • Example: • George (s, {army, navy}), doc A (c, {army}), doc B (s, {army, air}), doc C (s, {navy}) • George dominates doc A and C, but not doc B
Now we can rewrite the simple security condition and *-property • Simple security condition: s can read o if and only if s dominates o and s has the discretionary read access to o. • *-property: s can write to o if and only if o dominates s and s has the discretionary write access to o. • Now we see what we mean by “no read up” and “no write down”
We can redefine basic security theorem as well • A system has a secure initial state σ0, and a set of state transformations. If every transformation preserves the simple security condition and the star property, then every state σi is secure.
Now our system is safe from the view of confidentiality, but does it works • How can a General send a file to a captain? • The model introduces a mechanism to solve the problem • A subject has a maximum security level (msl) and current security level (csl) • msl must dominate csl • A subject can decrease to the level of csl for communication reasons
Example: General Alice (s, {army, navy}), captain Bob (c, {army}). Alice changes her security level to (c, {army}) and talks to Bob.
An example: Data General’s B2 Unix system • Enforce mandatory access control (MAC) • Use an updated version of Bell-LaPadula • Read down is permitted • Write has to be at the same level • To allow communication, B2 Unix provides processes and objects a range of labels, where the upper bound must dominate the lower bound
Example: we have s and ts security classification; army, navy, and air force categories • (s, {army}), (ts, {army}) is a range • (s, {}), (ts, {army, air, navy}) is a range • (s, {army}), (ts, {navy, air}) is not a range
A process • Can read an object if its MAC label grants read access to the upper bound of the range • Has write access if its MAC label grants write access to any label in the range • Example: an object (s, {army}), (ts, {army, navy}) • A process with (s, {army}): can write but not read • A process with (ts, {army, navy, air}): can read but not write • A process with (ts, {army, navy}): both read and write