Special systems: MLS

1. Special systems: MLS • Multilevel security [“Red book” US-DOD 1987] • Considers the assurance risk when composing multilevel secure systems evaluated under security evaluation criteria. • Analyzing the security of interoperating and individually secure systems can be done in polynomial time. • Given a non-secure network configuration, then re-configuring the connections in an optimal way (to minimize the impact on interoperability) is NP.

2. Multilevel Security (MLS)[Bell LaPadula Model] • Security levels L define classification of subjects (processes) and objects. • eg, Unclassified, Secret, Top-Secret. • Policy: lattice of security levels (L,<=) • x<=y: level x information may flow to level y. • Unclassified < Secret < Top-Secret

3. Evaluation Criteria[“Orange” & “Red” Books] • MLS systems assured to different levels of assurance based on evaluation criteria. • (worst) D<C1<C2<C3<B1<B2<B3<A1 (best). • Evaluated systems must meet minimum risk requirements. • Systems storing high-risk combinations of data need high levels of assurance.

4. B2 B3 TS TS B1 S S S U U Configuring MLS NetworksChannel Cascade Attacks • Each evaluated system meets criteria. • However, network has cascading risk: • Attacker breaks system A, copies TS data to S, • copies this data from System A to B to C, • breaks system C, copies S(TS) data to U. • B3 assurance required when protecting TS and U, but cascade attack breaks B2 and lower systems. B C A

5. B2 B3 TS TS B2 B1 S S S B3 B3 B3 B1 U U Modeling MLS networksStrategy • effort((s,l),(s’,l’)) • The minimum effort required to compromise the network and copy/downgrade level l information held on system s to level l’ on system s’ • Cascade problem if exists s,s’ and l, l’: • effort((s,l),(s’,l’)) < system-assurance B C A

6. B2 B3 TS TS B1 S S S B3 B2 B3 B1 U U Modeling MLS networksStrategy (using Constraints) • Systems as flow-constraints between the levels of data that they store. B C A

7. B2 B3 TS TS B1 S S S U U Modeling MLS networksStrategy (using Constraints) • Systems as flow-constraints between the levels of data that they store. • Networks as flow-constraints that represent the channels that connect systems B C A

8. B2 B3 TS TS B1 S S S U U Modeling MLS networksStrategy (using Constraints) • Systems as flow-constraints between the levels of data that they store. • Networks as flow-constraints that represent the channels that connect systems • Soft constraint semi-ring as assurance levels B 3 2 C A 0 0 3 1

9. B2 B3 TS TS B1 S S S U U Modeling MLS networksStrategy (using Constraints) • Systems as flow-constraints between the levels of data that they store. • Networks as flow-constraints that represent the channels that connect systems • Soft constraint semi-ring as assurance levels • Cascade Detection: finding cascades. B 2 C A 0 3 3

10. B2 B3 TS TS B1 S S S U U Modeling MLS networksStrategy (using Constraints) • Systems as flow-constraints between the levels of data that they store. • Networks as flow-constraints that represent the channels that connect systems • Soft constraint semi-ring as assurance levels • Cascade Detection: finding cascades. B 2 C A 0 0 1 3

11. B TS A TS S S U C D S S U Ex1: Cascade Free Path

12. B TS A TS S S U C D S S U Ex1: Cascade Free Path TsA TsB SsC *1s TdA SdB UdC *1d B2 B3 TS TS C A B1 S S S U U

13. E = max( {0,0,3,0,1,0,0} ) = 3 TsA TsB SsC *1s 0 0 3 0 1 0 0 TdA SdB UdC *1d B R(TsA,SdB) 2 TS A TS S R(TsA,UdC) 3 S U C 0 R(TSA, *1d) D S S U R = max( {2,3,0} ) = 3 Ex1: Cascade Free Path

14. B TS A TS S S U C D S S U Ex2: Cascading Path

15. B TS A TS S S U C D S S U Ex2: Cascading Path B2 TS D C2 C A B1 S S S U

16. E = max( {2,0,0,0,1,0,0} ) = 2 2 0 0 0 1 0 0 B R(TsA,SdD) 2 TS A TS S R(TsA,UdC) 3 S U C 0 R(TsA ,*1d) D S S U R = max( {2,3,0} ) = 3 Ex2: Cascading Path TsA SsD SsC *1s SdA SdD UdC *1d

17. Conclusion • Secure interoperation is difficult! • Remember: when you compose two secure systems you could obtain a not secure system! • In real life: • Add comunications only when really needed!

19. Questions? • Thank you for your attention

20. C={pairwise-different} x1 {yellow} a} C, PC, con, def, V, D, {red,blue} x2 x3 {blue,yellow} x1 x2 x3 x4 x4 {red,blue,yellow} Crisp toward soft constraints P={ combination projection

21. 5$ C={pairwise-different} x1 3$ {yellow} • C-semiring <A,+,´,0,1>: {red,blue} x2 2$ Weighted x3 {blue,yellow} <+,min,+,+,0> x1 x2 x3 x4 Probabilistic <[0,1],max,,0,1> x4 {red,blue,yellow} Fuzzy <[0,1],max,min,0,1> Classical <{false,true},,,false,true> 15$ 15$ Combination (+) 13$ 13$ 15$ Projection (min) Crisp toward soft constraints

22. The Semiring Framework • A c-semiring is a tuple <A,+,×,0,1> such that: • A is the set of all consistency values and 0, 1A.0is thelowest consistency value and 1 is the highest consistency value; • +, the additive operator, is a closed, commutative, associativeand idempotent operation such that 1 is its absorbing elementand 0 is its unit element; • ×, the multiplicative operator, is a closed and associative operationsuch that 0is its absorbing element, 1is its unit elementand × distributes over +. Stefano Bistarelli, Ugo Montanari, and Francesca Rossi,Semiring-based Constraint Solving and Optimization Journal of the ACM, 44(2):201–236, Mar1997.

23. Semiring-based Constraints • Given a semiring<A,+,×, 0, 1>, an ordered set of variablesV over a finite domain D, a constraint is a function which mapsan assignment  of the variables in the support of c, supp(c) toan element of A. • Notation c represents the constraint function c evaluated underinstantiation , returning a semiring value. • Given two constraints c1 and c2, their combination is defined as(c1c2) = c1×c2 . • The operation C represents the combination of a set ofconstraints C. • a· b iff a+b=b • c1v c2 iff 8 c1· c2 Stefano Bistarelli, Ugo Montanari and Francesca Rossi,Soft Concurrent Constraint Programming, Proceedings of ESOP-2002, LNCS, April 2002.