1 / 15

ITIS 3200: Introduction to Information Security and Privacy

ITIS 3200: Introduction to Information Security and Privacy. Dr. Weichao Wang. More details about two types of policies In previous chapter, we say that there are two types of policies: confidentiality and integrity policies. Here we will provide more details for each type

ivana
Download Presentation

ITIS 3200: Introduction to Information Security and Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. ITIS 3200:Introduction to Information Security and Privacy Dr. Weichao Wang

  2. More details about two types of policies • In previous chapter, we say that there are two types of policies: confidentiality and integrity policies. Here we will provide more details for each type • Confidentiality policies: emphasize the protection of confidentiality. • Also called information flow policy • Prevent unauthorized disclosure of information • Example: Bell-LaPadula model

  3. Bell-LaPadula model: • One sentence description: no read up and no write down • Informal description • The simplest type of confidentiality classification is a set of security clearances arranged in ordering • A subject has a “security clearance” • An object has a “security classification” • Goal: prevent a subject with low clearance from reading objects at high classification

  4. The Bell-LaPadula model combine mandatory and discretionary AC • Simple security condition (in plain English): S can read O if and only if the classification of O is NOT higher than clearance of S, and S has discretionary read access to O. • Why do we need another rule? • Star-property (*-property in plain English): S can write O if and only if the classification of O is NOT lower than clearance of S, and S has discretionary write access to O.

  5. Look at the example we provide: • Claire cannot read personnel file • Tamara can read anything if she has the discretionary read right • Tamara cannot write an activity log file • Basic security theorem (in plain English): A system has a secure initial state σ0, and a set of state transformations. If every transformation preserves the simple security condition and the star property, then every state σi is secure.

  6. Security clearance and classification provide one dimensional control for access, how can we control access to information at the same level? • Discretionary (it works, too much overhead) • Introduce a second dimension: category • Each category describes a kind of information. Both subjects and objects can be in multiple categories.

  7. Now every subject and object needs to be described by a two dimensional entry • Captain John Wayne: (Confidential, {army}) • Pres. Obama: (TS, {army, navy, air force}) • Lunch menu for Easy Company: (c, {army}) • Plan to attack xxxx: (TS, {army, navy, air}) • If S has the categories {army, navy}, she can read objects with {}, {army}, {navy}, and {army, navy} if the clearance and discretionary rights are ok.

  8. Now we have to redefine the confidentiality policies • Definition: a security level (l, c) dominates the security level (l’, c’) if and only if l’ ≤ l and c’ is a subset of c. • Example: • George (s, {army, navy}), doc A (c, {army}), doc B (s, {army, air}), doc C (s, {navy}) • George dominates doc A and C, but not doc B

  9. Now we can rewrite the simple security condition and *-property • Simple security condition: s can read o if and only if s dominates o and s has the discretionary read access to o. • *-property: s can write to o if and only if o dominates s and s has the discretionary write access to o. • Now we see what we mean by “no read up” and “no write down”

  10. We can redefine basic security theorem as well • A system has a secure initial state σ0, and a set of state transformations. If every transformation preserves the simple security condition and the star property, then every state σi is secure.

  11. Now our system is safe from the view of confidentiality, but does it works • How can a General send a file to a captain? • The model introduces a mechanism to solve the problem • A subject has a maximum security level (msl) and current security level (csl) • msl must dominate csl • A subject can decrease to the level of csl for communication reasons

  12. Example: General Alice (s, {army, navy}), captain Bob (c, {army}). Alice changes her security level to (c, {army}) and talks to Bob.

  13. An example: Data General’s B2 Unix system • Enforce mandatory access control (MAC) • Use an updated version of Bell-LaPadula • Read down is permitted • Write has to be at the same level • To allow communication, B2 Unix provides processes and objects a range of labels, where the upper bound must dominate the lower bound

  14. Example: we have s and ts security classification; army, navy, and air force categories • (s, {army}), (ts, {army}) is a range • (s, {}), (ts, {army, air, navy}) is a range • (s, {army}), (ts, {navy, air}) is not a range

  15. A process • Can read an object if its MAC label grants read access to the upper bound of the range • Has write access if its MAC label grants write access to any label in the range • Example: an object (s, {army}), (ts, {army, navy}) • A process with (s, {army}): can write but not read • A process with (ts, {army, navy, air}): can read but not write • A process with (ts, {army, navy}): both read and write

More Related