620 likes | 2.01k Views
Bell-LaPadula Model – read down/write up. Security levels arranged in linear ordering Top Secret: highest Secret Confidential Unclassified: lowest Levels consist of security clearance L ( s ) Objects have security classification L ( o ). Tamara can read all files
E N D
Bell-LaPadula Model – read down/write up • Security levels arranged in linear ordering • Top Secret: highest • Secret • Confidential • Unclassified: lowest • Levels consist of security clearance L(s) • Objects have security classification L(o) • Tamara can read all files • Claire cannot read Personnel or E-Mail Files • Alice can only read Telephone Lists
Reading Information • Information flows up, not down • “Reads up” disallowed, “reads down” allowed • Simple Security Condition • Subject s can read object o iff, L(o) ≤ L(s) and s has permission to read o • Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) • Sometimes called “no reads up” rule
Writing Information • Information flows up, not down • “Writes up” allowed, “writes down” disallowed • *-Property • Subject s can write object o iff L(s) ≤ L(o) and s has permission to write o • Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) • Sometimes called “no writes down” rule
Basic Security Theorem • If a system is initially in a secure state, and every transition of the system satisfies the simple security condition, and the *-property, then every state of the system is secure • Proof: induct on the number of transitions
Biba integrity model (confidentiality model) • Bell-La Padula model (read-down/write-up) • Biba (read-up/write-down) – dual of BLP model • Subject cannot corrupt data in a higher level • Subject cannot be corrupted by data with a lower level • sS can read o O iff i(s) ≤ i(o) • sS can write to o O iff i(o) ≤ i(s) • s1 S can execute s2 S iff i(s2) ≤ i(s1) • i is integrity level
Motivation: Hurricane Katrina 2005 • The Coast Guard was one of the worst off enders: FEMA officials would later say the agency [Coast Guard] did almost nothing to keep other units up to speed on its activities [Garnett, Kouzmin 07] Another of the tragedies of Katrina came when interorganizational networking failed to rise to the occasion. Federal agencies were too seldom on the same page -- even agencies within the same department, such as FEMA and the HSOC. …, it also stemmed from differences in organizational culture and lack of trust that surfaced before Katrina had even formed.
Quantified risk adaptive access control • The problem is about balancing risk vs. benefit tradeoffs and existing access control policies • Traditional models specify these tradeoffs statically • Goal: to be adaptive to the dynamic environments and the needs to which the policies are applied. • An organization continually optimizes access control based on risk vs. benefit tradeoffs • Constraint: capping overall risk cannot be realized. IBM paper: Fuzzy Multi–Level Security : An Experiment on Quantified Risk–Adaptive Access Control Pau–Chen Cheng et al. [IEEE Security&Privacy 07]
Intuition for fuzzy multi-level security • Need to determining the probability of unauthorized disclosure • A precise determination is generally impossible since that would require predicting future user behaviors. • For example, • the probability should be very high when a person without security clearance is given access to top secret information, • but relatively low if the access is given to a person with top secret clearance. • The model also asks the user to claim the perceived benefits of access • Self-claimed benefit value • Need to have an audit system
Probabilistic model in fuzzy MLS • Probability of unauthorized disclosure P = P1 + P2 − P1P2 • The Fuzzy MLS model considers P1 to be the probability that a human subject (a user) leaks the information by succumbing to temptation and P2 to be the probability of inadvertent disclosure, regardless of a subject’s intention. • The model estimates P1 and P2 but they are no longer binary. • Thus, the Fuzzy MLS model quantifies the risk that is the concern of the simple security property of the Bell–LaPadula model; • this property states that a subject can not read up and is meant to prevent unauthorized disclosure of information to human subjects.
Integrity policy: motivation • In commercial environments, who examines and certifies that the transactions are performed correctly? • When a company receives an invoice, the purchasing office requires 2 steps: • Someone must have requested a service, and determined the account that would pay for the service • Someone must validate the invoice, the account must be debited, the check is written and signed • Need at least two different people perform the transactions • Separation of duty
Clark-Wilson model • Aimed at commercial rather than military applications, and closely models real commercial operations. • Proposed a set of rules • To form a two-part integrity assurance facility • Certification is done by a security officer with respect to an integrity policy • Enforcement is done by the system
Entities • constrained data items: CDI • Data subject to integrity controls • unconstrained data items: UDI • Data not subject to integrity controls • integrity verification procedures: TVP • Procedures that test the constrained data items conform to the integrity constraints • transaction procedures: TP • Procedures that take the system from one valid state to another
Certification Rules 1 and 2 CR1 When any integrity verification procedure is run, it must ensure all constrained data items are in a valid state CR2 For some associated set of constrained data items, a transaction procedure (TP) must transform those constrained data items in a valid state into a (possibly different) valid state • Defines relation certified that associates a set of constrained data items with a particular transaction procedure • Example: transaction procedure balance, constrained data items accounts, in bank example However, the system should specify the scope of a TP’s power. That’s next.
Enforcement Rules and User rules ER1 only transaction procedures certified to run on a constrained data item manipulate that constrained data item. ER2 associate a user with each transaction procedure and set of constrained data items ER3 The system must authenticate each user attempting to execute a transaction procedure E.g., a user certified to do stock investment is not allowed to mess up bank balance
Separation of Duty In Model ER4 Only the certifier of a transaction procedure may change the list of entities associated with that transaction procedure. No certifier of a transaction procedure may ever have execute permission with respect to that entity. • Enforces separation of duty with respect to certified and allowed relations CR3 The allowed relations must meet the requirements imposed by the principle of separation of duty.
Logging CR4 All transaction procedures must append enough information to reconstruct the operation to an append-only constrained data item.
Handling Untrusted Input CR5 Any TP that takes an unconstrained data item (UDI) as an input value must be certified to perform only valid transformations, or else no transformations, for any possible value of the UDI. E.g., In bank, numbers entered at keyboard are unconstrained data items, so cannot be input to transaction procedures. • transaction procedures must validate numbers (to make them a constrained data item) before using them; • if validation fails, transaction procedure rejects unconstrained data item If you claim you deposit $1million, the bank needs to validate that claim
Key Points • Confidentiality models restrict flow of information • Bell-LaPadula models multilevel security • Cornerstone of much work in computer security • BLP model is generally believed to be very restrictive • Integrity policies deal with trust • As trust is hard to quantify, these policies are hard to evaluate completely • Look for assumptions and trusted users to find possible weak points in their implementation • Clark-Wilson focuses on separation of duty and transactions