1 / 20

Confidentiality Models

This text explores the different types of security policies, such as military and commercial, and their focus on confidentiality, integrity, and trust. It also discusses the concept of security models and their role in formulating and testing security policies.

rickycurry
Download Presentation

Confidentiality Models

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Confidentiality Models CSCI283-172 Fall 2006 GWU Draws extensively from: Memon’s notes, Brooklyn Poly Pfleeger Text, Chapter 5 Bishop’s text, Chapter 5, Bishop’s slides, Chapter 5

  2. Types of Security Policies • A military security policy (also called government security policy) is a security policy developed primarily to provide confidentiality. • Not worrying about trusting the object as much as disclosing the object • A commercial security policy is a security policy developed primarily to provide a combination of confidentiality and integrity. • Focus on how much the object can be trusted. • Also confidentiality policy and integrity policy. CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set

  3. Security Models • To formulate a security policy you have to describe entities it governs and what rules constitute it – a security model does just that! • A security model is a model that represents a particular policy or set of policies. Used to: • Describe or document a policy • Test a policy for completeness and consistency • Help conceptualize and design an implementation • Check whether an implementation meets requirements. CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set

  4. Military Security Policy • Heirarchy of sensitivities, e.g.: top secret > secret > confidential > restricted > unclassified • Compartments, e.g: Iraq, WMDs, Crypto, non-proliferation, RSA, India, Israel • Pieces of Information held by US military, e.g.: Saddam’s location, India’s and Israels’ nuclear capability, security of RSA, published information on RSA, the names of Israel’s cabinet ministers • Classify above pieces of information into their classes: <rank; compartments> CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set

  5. Example from Pfleeger User cleared for: <secret: {dog, cat, pig}> has access to? <top secret; {dog}> <secret; {dog}> <secret; {dog, cow}> <secret; {moose}> <confidential; {dog, pig, cat}> <confidential; {moose}> CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set

  6. Example Top Secret (TS) | Secret (S) | Confidential (C) | Unclassified (UC) John Flynn | Monique Tronchin | Dianne Martin | Bhagi Narahari Strategic Files | Personnel Files | Student Files | Class Files A basic confidentiality classification system. Security Levels, Subjects, Objects What is the Information Flow? CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set

  7. Domination • Subject s cleared for class <ranks; compartmentss> and Object o is in class <ranko; compartmentso> • o dom s iff • ranks  ranko and • compartmentss  compartmentso • o dominates s • Military Security Policy: Subject has access to Object iff Subject dominates Object CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set

  8. The Bell-La Padula (BLP) Model Formal description of allowable paths of information flow in a secure system, in particular, military security policy – confidentiality. • Set of subjects S and objects O. Each subject s in S and o in O has a fixed security class • Security classes are ordered by a relation dom • Combines mandatory and discretionary access control. CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set

  9. Examples • Consider the subjects: • President of the USA • Prime Minister of Israel • Saddam Hussein • Bin Laden • Assess their • Domination • Access wrt the previous examples CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set

  10. BLP – Simple Version Information flows up, not down “Reads up” disallowed, “reads down” allowed Simple Security Property: A subject s may have read access to an object o if and only if s domo CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set

  11. BLP – Simple Version Information flows up, not down “Writes down” disallowed, “writes up” allowed *-Property: A subject s who has read access to an object o may have write access to an object p only if p dom o (Contents of a sensitive object can only be written to objects at least as high.). CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set

  12. BLP – Simple Version (Contd.) Basic Security Theorem: Let  be a system with a secure initial state 0and let T be a set of transformations. If every element of T preserves the simple security property and *-property, then every state i i 0 is secure. CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set

  13. Problem • Colonel has (Secret, {NUC, EUR}) clearance • Major has (Secret, {EUR}) clearance • Major can talk to colonel (“write up” or “read down”) • Colonel cannot talk to major (“read up” or “write down”) • Clearly absurd! CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set

  14. Solution • Define maximum, current levels for subjects • maxlevel(s) domcurlevel(s) • Example • Treat Major as an object (Colonel is writing to him/her) • Colonel has maxlevel (Secret, { NUC, EUR }) • Colonel sets curlevel to (Secret, { EUR }) • Now L(Major) dom curlevel(Colonel) • Colonel can write to Major without violating “no writes down” • Does L(s) mean curlevel(s) or maxlevel(s)? • Formally, we need a more precise notation: we won’t go much further CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set

  15. Partial Ordering • A partial ordering is a relation  that is reflexive, transitive and anti-symmetric • Reflexive – a  a • Transitive – If a  b and b  c, then a  c. • Anti-symmetric – If a  b and b  a, then a = b. • Example: Child of? Sibling of? Identical genetic content? Subset of  ? Divisor of ? Less than equal to  ? dom? CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set

  16. Lattices • A lattice is a collection of tuples (x, y) from a set X where • both x and y belong to set A and x  y. • Every tuple in the lattice has a greatest upper bound. • Every tuple has a least lower bound. • Note that not all tuples that can be formed from elements in X belong to the lattice. That is some elements are not comparable (partial ordering). CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set

  17. Examples Using the following partial orders, define lattices Subset of  ? Divisor of ? Less than equal to  ? CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set

  18. Lattice - Example G Is B G? Is B E? E F D A B C H J CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set

  19. BLP Example: Let NUC, EUR and US be categories. • Sets of categories are Null, {NUC}, {EUR}, {US}, {NUC, US}, {NUC, EUR}, {EUR, US} and {NU, EUR, US}. • George is cleared for (TOP SECRET, {NUC, US}) • A document may be classified as (CONFIDENTIAL, {EUR}). CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set

  20. Example Lattice {NUC, EUR, US} • The set of categories form a lattice under the subset operation {NUC, US} {EUR, US} {NUC, EUR}, {NUC} {EUR}, {US} CS283-172/Fall06/GWU/Vora Some slides from Bishop's slide set

More Related