200 likes | 222 Views
MANDATORY FLOW CONTROL. Xiao Chen Fall2009 CSc 8320. INDEX. Section One: Basic Introduction Mandatory Flow Control Models Information Flow Control Lattice Model Multilevel Models Section Two: Contemporary Application Windows Vista IE7 Implements Biba Model Section Three: Future Prospect
E N D
MANDATORY FLOW CONTROL Xiao Chen Fall2009 CSc 8320
INDEX • Section One: Basic Introduction • Mandatory Flow Control Models • Information Flow Control • Lattice Model • Multilevel Models • Section Two: Contemporary Application • Windows Vista IE7 Implements Biba Model • Section Three: Future Prospect • Improvement of P2P • References
MANDATORY FLOW CONTROL MODELS • Definition : Mandatory access control refers to a type of access control by which the operating system constrains the ability of a subject to access or generally perform some sort of operation on an object or target.
MANDATORY FLOW CONTROL MODELS • Why is it necessary since we have discretionary security model? With the advances in networks and distributed systems, it is necessary to broaden the scope to include the control of information flow between distributed nodes on a system wide basis rather than only individual basis like discretionary control.
Difference between Discretionary and Mandatory access control [4] • Mandatory access control, this security policy is centrally controlled by a security policy administrator; users do not have the ability to override the policy and, for example, grant access to files that would otherwise be restricted. • By contrast, discretionary access control (DAC), which also governs the ability of subjects to access objects, allows users the ability to make policy decisions and/or assign security attributes.
Information Flow Control [1] • Definition Information Flow control is concerned with how information is disseminated or propagated from one object to another. • The security classes of all entities must be specified explicitly and the class of an entity seldom changes after it has been created
The Lattice Model • The best-known Information Flow Model • Based upon the concept of lattice whose mathematical meaning is a structure consisting of a finite partially ordered set together with a least upper bound and greatest lower bound operator on the set.
THE LATTICE MODEL • Lattice is a Directed Acyclic Graph(DAG) with a single source and sink. • Information is permitted to flow from a lower class to upper class.
Multilevel Security • Multilevel Security is a special case of the lattice-based information flow model. There are two well-known multilevel security models: • The Bell-LaPadula Model focuses on confidentiality of information • The Biba Model focuses on system integrity
Bell-LaPadula Model • Need-to-know principle: A subject is given access only to the objects that it requires to perform its jobs. • Security with respect to confidentiality in the Bell-LaPadula model is described by the following two axioms: • Simple security property: Reading information from an object o by a subject s requires that SC(s) dominates SC(o) ”no read up”). • The *-property: Writing information to an object o by a subject s requires that SC(o) dominates SC(s).
Biba Model • Contrary to Bell-LaPadula model, in Biba model information can only flow from a higher integrity class to a lower integrity class. • Integrity levels form a linear lattice in which each level represents the classification of integrity of information an object can contain or the clearance of a subject for modifying an object. • Integrity categories form a subset lattice and are used to enforce the need-to-have principle.
Comparison of two Multilevel Models • The Bell-LaPadula Model is concerned with information confidentiality • subjects reading from an object must have higher security class than the object. • objects being written to by a subject must have higher security class than the subject. • The Biba model emphasizes information integrity • subjects writing information to an object must have higher security class than the object. • objects being read from by a subject must have higher security class than the subject.
IE7 IMPLEMENTS BIBA MODEL[2] • According to the 2 rules of Biba Integrity Model : • Simple Security Axiom – A subject at a particular integrity level must not be able to read from an object of a lower integrity level. i.e. "No Read Down". • Star Property Axiom – A subject at a particular level of integrity must not be able to write on to an object of higher integrity level. i.e. "No Write Up".
IE7 IMPLEMENTS BIBA MODEL [2] • Keeping the integrity level of IE7 (Protected Mode) at low makes sure that any thread started by IE 7 will bear the same integrity level and thus would not be able to write to any folder/application in the system, which is at a higher integrity level (Star Property Axiom). Therefore the only folders where IE7 based programs can write into are the following, as they are assigned the same integrity level as IE7: • Temporary Internet Files • Cookies • Recycle Bin • Various Registry keys, including ones under :HKCU\Software\Microsoft\Internet Explorer
IE7 IMPLEMENTS BIBA MODEL[2] • On the other hand, if you want to save a file downloaded through IE7 on a local folder like "My Documents" , the application warns the user and informs him that this will require elevating the privileges to save the file on an alternate location. • If it's a .exe file that needs to be installed, IE 7 prompts for further elevation by asking for admin privilege password.
FUTURE WORK • Multilevel models have been used mostly in military systems, although as we will see later, they are useful to control attacks to different parts of a system. • In particular, Joshi et al. [Jos01] discuss the improvement of these models for web-based applications. They consider Role-based access control as the most suitable model but think that in the future it needs to be extended to consider dynamic and task-based aspects. This is a good direction for future work.[3]
REFERENCE • [1]Distributed Operating Systems & Algorithms, Randy Chow and Theodore Johnson, Addison Wesley, 1997. • [2] IE7 Implements Biba Modelhttp://ranjanajain.spaces.live.com/blog/cns!5F09EF6281DD4DB0!221.entry?sa=390277086 • [3]Eduardo B.Fernandez, Chapter 4. Security models,http://www.cse.fau.edu/~ed/Ch4SecModels.pdf • [4] http://en.wikipedia.org/wiki/Mandatory_access_control