460 likes | 701 Views
702904 & 711908 Information Security 2008 Lecture 5 Access Control, Security Models. Lecture Outline. Access Control - Introduction Access Policies Access Control Methods Reference Monitors Access Matrix, Capabilities, Access Control Lists (ACLs) Security Models Justification Ranked
E N D
702904 & 711908Information Security 2008 Lecture 5Access Control, Security Models
Lecture Outline • Access Control - Introduction • Access Policies • Access Control Methods • Reference Monitors • Access Matrix, Capabilities, Access Control Lists (ACLs) • Security Models • Justification • Ranked • Bell-LaPadula • Chinese Walls • Biba • Clark-Wilson
References • Pfleeger & Pfleeger (4ed) Sections 4.3, 4.4, 5.1, 5.2, 5.3 Gollman Ch 3, Ch 4 Ch 9Pfleeger (3ed) 4.3, 4.4, 5.3, 5.4 • Windows • Start Help search term: ‘access control’ then • select ‘access control lists’ • Start Help search term: ‘security’ then • select ‘File Properties overview
Access Control -Introduction • You want to protect some of the files you create • Is confidentiality an issue ? • Operating systems are designed to protect users from each other • Is integrity an issue ? • Terminology • An active subject wishes to use an access operation on a passive object. • (Sam wishes to read the production log) • The same entity can sometimes be either subject or object • (Sam wishes to execute the production program • The production program wishes to read the production log) • We could specify what the subject is allowed to do,OR what may be done with the object
Access Control -Monitors • Single level (no hierarchy) • Sometimes called Reference Monitor • Easy to implement • BUT • May become a bottle-neck • (IF this access-control monitor is defeated,THEN all accesses are vulnerable)
Access Control - Modes • There is a lot of computing history behind the four access modes (permissions) • Execute (usually includes Read capability) • Read • Append (blind write) • Write -which includes Read capability • Note that these modes do not directly allow for entities (say an active user) to create objects, and to grant access modes to that object • Sam needs to create a file for the latest production report, and needs all members of the production team to have read access to that file
Policies (1) • Historical considerations • The history of information systems and their automation is a history of compromise. Automation had to fit into existing schemes of information management. Similarly, the addition of security mechanisms has to fit into existing structures and systems. Highly secure systems are often a consequence of redesign and re-engineering of existing systems. • Mandatory Security Policies • A system wide policy decrees that all subjects and all objects are classified. Access classes are associated with every subject-object pair. • Access rights depend on the triple <subject-object-access class> for all triplets<Sam, Production Log, Write>
Policies (2) • Discretionary Security Policies • Users are allowed to grant access to other users - often the OWNER of an object can grant access privileges to other users, (at the owners discretion ) • Discretionary Policies may allow one user to pass data to another user without the authority of the creator of the data
Access Control Methods • Access Control Matrix • Capabilities • Access Control Lists • An operating system reference is Silberschatz Operating System concepts(4 ed) Chapter 13
Access Control Matrix • The entry in the table specifies the access modes that the subject in the row can perform on the object in the column • Not really suitable for lots of users and files
Capabilities • For each subject, a list of their access rights • Associated with discretionary control policies • Difficult to ascertain all those who can access a particular object • Needs an operating system control program to change the access permissions on a particular object • Suppose Alice has given Bob the right to read a series of filesEasy to remove Alice’s capability, but how do we find and remove the capabilities that Alice granted to others ?
Access Control Lists (ACLs) • The access rights to an object are stored with the object (like a reference monitor for each object) • Usually implemented by placing users in groups and access rights granted to a group
Groups • Used to simplify access control policies
Security Models • We need models • If you want a security policy to be enforceable, the policy will need to name the entities that are to have rights, and the entities that are to be controlled. There will need to be rules about both of these classes of entity, these rules are part of the policy. • Security models are about different sorts of security policy.
Security Models Bell-LaPadula • The Bell-LaPadula model is about information confidentiality, and this model formally represents the long tradition of attitudes to the flow of information concerning national secrets.
Security ModelsChinese Walls • Large consultancies can easily find there are conflicts of interest if individual consultants are given access to all information held by the consultancy. Chinese Wall models a particular way of restricting information flow.
Security Models Biba • Based on the Cold War experiences, information integrity is also important, and the Biba model, complementary to Bell-LaPadula, is based on the flow of information where preserving integrity is critical.
Security ModelsClarke-Wilson • In the commercial sphere, the need is to engage in well-formedtransactions which can only be undertaken by authorised personnel, and the Clarke-Wilson model is an attempt to formally model a policy based on well-formed transactions.
Security Models Formal Methods • One benefit of using formal models is that mathematical (sometimes called formal) methods can be used to confirm that all transitions allowed by the model preserve the secure state of the system being modeled • For real systems, modeling is not easy
Access Control - Ranked Model (1) • Multi-level • Often called Lattice methods • Basis of military and commercial security • Set of ordered security levels, users assigned to a level • User subjects are privileged to access a rank and all lower ranks
Access Control - Ranked Model (2) • We are also concerned about need to know • Compartment the information to be secured • Granting access : • A subject is cleared to access object • only if rank(subject) >= rank (object) AND • The set of all compartments that contain the object are contained within the set of compartments that the subject is cleared to access • (The personnel manger will not be allowed to access confidential production data)
Access Control - Ranked Model (3) • Companies often use the ranks: • Public, Company Confidential, Executive-only • Deciding what lies in what compartment keeps security staff occupied
Bell - LaPadula (1) • Earliest formal model • Each user subject and information objecthas a fixed security class • Use the notation >= to indicate dominance • Simple Security (ss) property:the no read-up property • A subject has read access to an object if the • Class (rank) of the subject C(s) is greater than or equal to the class (rank) of the object C(o) • need C(s) >= C(o)
Bell - LaPadula (2) • * property (star): the no write-down property • While a subject has read access to object O, the subject can only write to object P ifC(P) >= C (O) • Leads to concentration of irrelevant detail at upper levels
DiscretionarySecurity • Discretionary Security (ds) propertyIf discretionary policies are in place, accesses are further limited to this access matrix • Although all users in the personnel department can read all [personnel] documents, the personnel manager would expect to limit the readers of a document that dealt with redundancies in the personnel department !
Chinese Walls • Suppose a consultancy has several airlines as clients • It is a conflict of interest if a consultant working with Quantas has access to confidential data on Gulf gathered from another assignment • Best illustrated by a diagram:(Pfleeger & Pfleeger pp251-252For this model to work, a history of access rights has to be maintained • (Also, if confidential information is written across conflict classes, an effective conflict of interest is created)
Biba • Concerned with integrity of information • We wish to prevent the spread of untrusted information • A Cold war issue - the intelligence services of the UK were known to have been compromised by the Soviets. How then could the USA ensure that USA intelligence data was not ‘corrupted’ by possibly misleading data flowing from UK sources ? • Subject s can only modify object oif I(s) >= I(o) no write up) • Integrity * propertyIf s can read o, s can only write to pif I(o) >= I(p) • So ‘clean’ objects do not become ‘contaminated’
Clark-Wilson (1) • The security requirements of commercial transactions are about integrity, and the prevention of error and fraud. • There is an established principle of separation of duties, which aims to ensure that users must collaborate to validly manipulate data, and hence users must collude to commit fraud. • Clark-Wilson aim to define well-formed transactions, so users cannot directly access data, • and specific data items can only be modified by defined programs.
Clark-Wilson (2) • Internal consistency of data items should be ensured by the system • External consistency (that the system matches the real world), achieved by auditing.
Transitions • If a system starts in a secure state, and all transitions are secure, then the system remains in a secure state. ? • But what if we allow users to downgrade all objects, and then modify the access control matrix so all modes (permissions) are allowed for each entry ? • So we need to beware of transitions that change access rights
Tranquility • Pfleeger (4ed) p 316, Q1 Gollman p 49 • Starting with a Bell-LaPadula model, with ranked classes of users • Executive, Company-confidential, Public • And segregated compartments, • Sales, Production • And all users assigned a rank, • And all files assigned a rank and a compartmentTRANQUILITY is when these assignments do not change – or are not allowed to change
Tranquility in practice • Production program systems need to open and use work files, and open and use spool print files, class or subroutine libraries need to be accessed. • For systems with mandatory security, these entities all need labels and levels (ranks). • In practice assigning security levels to these sorts of entities is not easy.
Question: • We have learned about different security models. Bell-Lapadula talks about 'Confidentiality', Biba model talks about information 'Integrity' and Clark-Wilson on the 'Integrity in business transactions’. Now, information security in organizations requires us to guarantee 'Confidentiality, Integrity and Availability', but none of these models deal with all aspects of security goals.
Question: • Does this mean that implementing one of these security models is good enough to ensure the other two security goals? For example, if we implement Bell model, can we assume that 'Integrity and Availability' is dealt under 'Confidentiality'? Do we have to adopt multiple models to achieve those security goals? Is there any unified model which deals with all the aspects of security goals?
(A1) • The three characteristics are independent (?) and so offering “C” does not offer “I” or “A” • The operating system – or bureaucratic procedure – is seen to be responsible for “A” • It would appear that if we are concerned about “I”, then some form of Clark-Wilson authorised transaction is required as well as some formal model offering protection against information leakage.
(A2) • Considering only Bell-La Padula, there are two obvious actions needed:-enrolling users-classifyingdocuments • When we have an ‘enrol user’ operation, and a ‘assign level and compartment to document’ operation, we see there has to be operations to define compartments and the hierarchy of levels • Graham-Denning addresses these issuesPfleeger (4ed) p 258
Trusted Computing • Operating System Certification • References Pfleeger & Pfleeger Ch 5
Trusted Computing (1) • We want to know • The O/sys does what is expected • The O/sys only does what is specified • The O/sys is reliable • We want to be assured (- to have justification for our confidence - )that the operating system functions correctly
Evaluation (1) • We need evaluation criteria. • There are now several, but the USA Department of Defence‘Trusted Computer Security Evaluation Criteria’ are still the benchmark.
Evaluation (2) • Target • Products or Systems ? • Purpose • Evaluation, Certification, Accreditation • We look for Repeatability and Reproducibility of evaluations • Structure • Function, Effectiveness, Assurance • The Evaluation process must occur in some context
Trusted Computing (2) • USA Department of Defence • There must be a defined security policy enforced by the system • Every object must be marked with a security level ‘label’ • Every subject must be uniquely and convincingly identified • Complete, secure records of actions that affect security must be kept • There must be mechanisms that enforce security, and the effectiveness of these mechanisms must be testable • The security mechanisms must be continuously protected against unauthorised change • Documentation must be provided for evaluators, managers and users of the system
Certification of Secure O/S (1) • Certification is • the process of assessing the quality of the testing that has been performed, • and assigning a measure of confidence in the • correctness of the system
Certification of Secure O/S (2) • Orange Book Evaluation Criteria: • D. No requirement • C1 & C2 Documentation and Assurance (Typical Commercial protection) • B1 All objects have labels • B2 Proof of securityComplete narrative description of kernelTrusted Facility Management • B3 & A1 Formal design to some explicit security modelPenetration resistant • There are significant difficulties evaluating complex software, and few systems have been certified to the A1 level.
Trusted Computing (2) • We do NOT get assurance by: • Emphatic assertion • The vendor stating that flaws have not been found • Challenges