240 likes | 1.55k Views
Lattice-Based Access Control Models. Ravi S. Sandhu Colorado State University CS 681 Spring 2005 John Tesch. Motivation. Examine the theoretical foundations of lattice-based access control
E N D
Lattice-BasedAccess ControlModels Ravi S. Sandhu Colorado State University CS 681 Spring 2005 John Tesch
Motivation • Examine the theoretical foundations of lattice-based access control • Show how the basic security objectives of confidentiality, integrity and availability are related to information flow policy • Relevancy of models to commercial applications • Support for the Chinese Wall argument
Background • 1975 Bell-LaPadula – “Secure Computer Systems: • Mathematical Foundations and • Model” • 1976 Denning – “A Lattice Model of Secure Information • Flow” • 1977 Biba – “Integrity Considerations for Secure • Computer Systems” • 1989 Chinese Wall – “The Chinese Wall Security Policy” • 1992 Sandhu – “Lattice-Based Enforcement of Chinese • Walls” • 1993 Sandhu – “Lattice-Based Access Control Models”
Security Models • Bell-LaPadula – Confidentiality • Biba – Integrity • Chinese Wall (Brewer-Nash) – Conflict of Interest
Lattice Model • Denning – 1976 • Purpose – Guarantee Secure Information Flow • Use mathematical framework to formulate requirements • Unify all systems that restrict information flow • Lead to automatic certification programs • Denning uses a set of axioms to limit program code that • will violate security classes • Sandhu uses the axioms to control information flow at the • model level
Denning Lattice Model • Denning’s Flow Model – • FM = <N, P, SC, ,> • where: N = Objects • P = Processes • SC = Security Classes • = Join operation on SC • = Can-flow relation on SC • Assumption is static security classes (not objects)
Denning Lattice • Example : High-Low policy • (H H) H H = H • (L L) L L = L • (L H) L H = H • (H not L) H L = H
Dennings Axioms • 1. The set of security classes is finite • 2. The can-flow relation, , is a partial order on SC • 3. SC has a lower bound with respect to • 4. The join operator, , is a totally defined least upper • bound operator
Information Flow Definitions • 1. Information Flow Policy - <SC, , > • 2. Denning’s axioms • 3. Dominance – A B if and only if B A.
Sandhu Definitions • Users – Humans • Subjects – Processes • Objects – files • Access matrix – subject X objects • Cell [s,o] = access rights • Owner can modify cell – discretionary
Bell-LaPadula Model • Begin with discretionary control • Add authorization policy without user control (security labels) • Object – security classification • User – security clearance • Tranquility – User cannot change labels
Bell-LaPadula Model • Simple security property – (human or process) • s reads o only if (s) (o) • or (o) (s) • *- security property – (process) • s reads o only if (s) (o) • or (s) (o) • Covert channels out of scope
Biba Model • Flow from top to bottom • Simple integrity property – • s reads o only if (s) (o) • Integrity * property – (process) • s reads o only if (s) (o)
Combining BLP and Biba • Subject s can read object o only if • (s) (o) and (s) (o) • Subject s can write object o only if • (s) (o) and (s) (o) • Can make a single lattice but you would have to reverse the hierarchy and rules of either BLP or Biba
Conclusions • By applying the Denning’s lattice model axioms to BLP and Biba, information flow can be clearly defined. • The axioms cannot take into effect the problem with covert channels • The lattice is considered to be static • The paper focus is on the correctness of the lattice, not so much on the application to BLP and Biba
Discussion • Does Sandhu adequately describe the lattice-based control using the semantics from Denning? • Are there systems that use a single lattice with both BLP and Biba? • How much of a performance hit is caused by covert channels? • Can the lattice handle the management of the access control in BLP?