1 / 16

Lattice-Based Access Control Models

Lattice-Based Access Control Models. Ravi S. Sandhu Colorado State University CS 681 Spring 2005 John Tesch. Motivation. Examine the theoretical foundations of lattice-based access control

faraji
Download Presentation

Lattice-Based Access Control Models

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lattice-BasedAccess ControlModels Ravi S. Sandhu Colorado State University CS 681 Spring 2005 John Tesch

  2. Motivation • Examine the theoretical foundations of lattice-based access control • Show how the basic security objectives of confidentiality, integrity and availability are related to information flow policy • Relevancy of models to commercial applications • Support for the Chinese Wall argument

  3. Background • 1975 Bell-LaPadula – “Secure Computer Systems: • Mathematical Foundations and • Model” • 1976 Denning – “A Lattice Model of Secure Information • Flow” • 1977 Biba – “Integrity Considerations for Secure • Computer Systems” • 1989 Chinese Wall – “The Chinese Wall Security Policy” • 1992 Sandhu – “Lattice-Based Enforcement of Chinese • Walls” • 1993 Sandhu – “Lattice-Based Access Control Models”

  4. Security Models • Bell-LaPadula – Confidentiality • Biba – Integrity • Chinese Wall (Brewer-Nash) – Conflict of Interest

  5. Lattice Model • Denning – 1976 • Purpose – Guarantee Secure Information Flow • Use mathematical framework to formulate requirements • Unify all systems that restrict information flow • Lead to automatic certification programs • Denning uses a set of axioms to limit program code that • will violate security classes • Sandhu uses the axioms to control information flow at the • model level

  6. Denning Lattice Model • Denning’s Flow Model – • FM = <N, P, SC, ,> • where: N = Objects • P = Processes • SC = Security Classes •  = Join operation on SC •  = Can-flow relation on SC • Assumption is static security classes (not objects)

  7. Denning Lattice • Example : High-Low policy • (H  H) H  H = H • (L  L) L  L = L • (L  H) L  H = H • (H not  L) H  L = H

  8. Dennings Axioms • 1. The set of security classes is finite • 2. The can-flow relation, , is a partial order on SC • 3. SC has a lower bound with respect to  • 4. The join operator, , is a totally defined least upper • bound operator

  9. Information Flow Definitions • 1. Information Flow Policy - <SC, , > • 2. Denning’s axioms • 3. Dominance – A  B if and only if B  A.

  10. Sandhu Definitions • Users – Humans • Subjects – Processes • Objects – files • Access matrix – subject X objects • Cell [s,o] = access rights • Owner can modify cell – discretionary

  11. Bell-LaPadula Model • Begin with discretionary control • Add authorization policy without user control (security labels) • Object – security classification • User – security clearance • Tranquility – User cannot change labels

  12. Bell-LaPadula Model • Simple security property – (human or process) • s reads o only if (s)  (o) • or (o)  (s) • *- security property – (process) • s reads o only if (s)  (o) • or (s)  (o) • Covert channels out of scope

  13. Biba Model • Flow from top to bottom • Simple integrity property – • s reads o only if (s)  (o) • Integrity * property – (process) • s reads o only if (s)  (o)

  14. Combining BLP and Biba • Subject s can read object o only if • (s)  (o) and (s)  (o) • Subject s can write object o only if • (s)  (o) and (s)  (o) • Can make a single lattice but you would have to reverse the hierarchy and rules of either BLP or Biba

  15. Conclusions • By applying the Denning’s lattice model axioms to BLP and Biba, information flow can be clearly defined. • The axioms cannot take into effect the problem with covert channels • The lattice is considered to be static • The paper focus is on the correctness of the lattice, not so much on the application to BLP and Biba

  16. Discussion • Does Sandhu adequately describe the lattice-based control using the semantics from Denning? • Are there systems that use a single lattice with both BLP and Biba? • How much of a performance hit is caused by covert channels? • Can the lattice handle the management of the access control in BLP?

More Related