12/4/20151 computer security security models – an overview
TRANSCRIPT
04/18/23 1
Computer SecuritySecurity models – an overview.
04/18/23 2
Finite State Machine Models
Automata (=Finite State Machines) are a popular way Of modeling many aspects of computing systems. The essential feature of these are then concepts of:• State• State transition
04/18/23 3
Bell-LaPadula (BLP) Model
BLP StructureCombines,• .Access permission matrices for access control,• a Security lattice, for security levels,• an Automaton, for access operations.
Security policies are reduced to relations in the BLP structure.
04/18/23 4
BLP Model• A set of subjects S• A set of objects O• A set of access operations A = {execute,read,append,write}• A set L of security levels, with a partial ordering .
04/18/23 5
BLP ModelWe want to use the state of the system to check its security.
The state set is: B xM x F, where
• B = P (SxOxA) the set of current accesses b
• .M is the set of permission matrices M
• A set of security level assignments F Ls x Ls x Lo.
04/18/23 6
BLP Model
The security level assignments F Ls x Ls x Lo.
F has elements f = , where
objects. of tionclassificasecurity the gives O :–subject, each of levelsecurity current the gives :–
have, cansubject eachsecurity maximal the gives :–
L fLS fLS f
O
C
S
level.current the dominates level maximal the is,that , :require We SC ff
),,( OCS fff
04/18/23 7
BLP Model
Security policies: a state (b,M,f ) must satisfy,
1. Simple security property (ss-property): – for each access request (s,o,a) in b, with access
operation a = read, or write, the security level of s must dominate the classification of o, i.e.,
This is a no read/write up security policy
)()( sfof SO
04/18/23 8
BLP Model2. Star property (*-property):
– for each access request (s,o,a) in b, with access operation a = append, or write, the current security level of s is dominated by the classification of the object o,
i.e. . This is a no append/write down policy.
Also, if there is an (s,o,a) in b with a = append or write, then we must have
for all o’ with (s,o’,a’ ) in b and a’ = read or write
)()( ofsf OC
(o)f(o')f OO
04/18/23 9
BLP Model
3. Discretionary security property (ds-property):
-- for each access (s,o,a) in b, we must have .soMa
04/18/23 10
BLP Model
The *-property implies that is not possible to send messages to
low level subjects. There are two ways to remedy this.• Temporarily downgrade a high level subject this is why we
introduced the current security level .• Identify a set of subjects that are permitted to violate the
*-property .
These are called trusted subjects.
)(sfC
04/18/23 11
BLP Security
• A state v = (b,M,f ) is called secure if all three security properties are satisfied.
• A transition from state v1 = (b1,M1,f1) to state v2 = (b2,M2,f2) is secure if v2 is secure whenever v1 is.
04/18/23 12
BLP Security
TheoremIf all state transitions are secure and if the initial state is secure then every subsequent state is secure, no matter which inputs occur.
04/18/23 13
BLP Security
Proof -informal
A formal proof would proceed by induction on the length of the input sequences. It would build on the fact that security is preserves by state transitions.
RemarkThis theorem means that to check security you only need to check that state transitions preserve security.
04/18/23 14
BLP Security
Proof, the ss-property
A state transition from (b1,M1,f1) to (b2,M2,f2)
preserves the ss-property if and only if:
.ba)o,(s, then ,fto respectwith
property-ssthe satisfy notdoes ba)o,(s, if
.fto respectwith property-ss
the satisfies ba)o,(s,with ba)o,(s, every
22
1
2
12
04/18/23 15
BLP Security
Proof, the * & ds-property
Preservation of the *-property and the ds-property can
be described in a similar way.
04/18/23 16
BLP Security
McLean defined a BLP system which• downgrades all subjects to the lowest level,• downgrades all objects to the lowest level,• enters all access rights in all positions of the access
control matrix M.
04/18/23 17
BLP Security
A BLP system is only as good as its state
transitions are.
When a security system is designed within the framework
of a model, it is important that the implementation of the
primitives of the model captures correctly the security
requirements of the system.
04/18/23 18
Limitations of BLP
The BLP model,
1. only deals with confidentiality, not integrity,2. does not address management of access control,3. contains covert channels.
04/18/23 19
Limitations of BLP
• These are features of BLP, and should not be regarded as flaws.• Limiting the goals of a model makes it easier to deal with security issues • BLP does not state policies for the modification of access
rights.
BLP was originally intended for systems with no changes in the security levels.
04/18/23 20
Limitations of BLP
Covert channels are information channels that are not controlled by the security mechanism of the system.Information can flow (leak) from a high security level to a low security level as follows:
1. A low-level subject creates an object dummy.obj at its own level,
2. Its high-level accomplice, either upgrades it to a high level,
or does not.
3. Later the low level subject tries to read dummy.obj . If it can,
the covert bit is 1; otherwise it is 0.
04/18/23 21
Limitations of BLP
Telling a subject that a certain operation is or is not
permitted, constitutes information flow.
04/18/23 22
The Harrison-Ruzzo-Ullman (HRU) Model
The BLP model is not dynamic: it does not allow for the creation or deletion of subjects and objects and for changing access rights.
The HRU model defines authorization systems that address this issue.
04/18/23 23
HRU Model
• A set of subjects S• A set of objects O• A set of access rights R• An access matrix RMMM soOoSsso with ,)( ,
04/18/23 24
HRU Model
We also have six primitive operations,
- -
into/from -
os
Mr so
object etecreate/delsubject etecreate/del
enter
04/18/23 25
HRU ModelCommands in HRU are of type,
end
. . .
then
if
. . .
and if
and if
),...,( command
2
1
2
1
1
22
11
.
n
osk
os
os
k
op
op
op
Minr
Minr
Minr
xxc
mm
04/18/23 26
HRU ModelBasic operations are of type,
The owner s of file f grants read access to s,
end
enter
enter
enter
create
),(_ command
,
,
,
.
fs
fs
fs
Minw
Minr
Mino
f
fsfilecreate
end
enter then if
command
fs
fs
Minr
Mino
fssreadgrant
,'
,
.),',(_
04/18/23 27
HRU Model -securityDefinitions
• An access matrix M leaks the right r if there is a command that adds the right r in a position of M that did
not previously contain r, that is,
• An access matrix M is safe with respect to the right r if no sequence of commands can transform M into a state that leaks r.
So, verifying HRU security reduces to verifying safety properties.
osos MrMros ,, ' and such that ,
': MMc
04/18/23 28
HRU Model -securityTheorems
1. Given an access matrix M and a right r, verifying the safety of M with respect to the right r is an undecidable problem.
2. Given a mono-operational * authorization system, an access matrix M and a right r, verifying the safety of M with respect to the right r is decidable.
Even if two operations per command are allowed we get undecidability.3. The safety problem for authorization systems is decidable if the
number of subjects is bounded.
* Commands contain a single operation are mono-operational
04/18/23 29
The Chinese Wall Model
This models a consultancy business where analysts have to make sure that no conflicts arise when dealing with different clients (companies).Informally, a conflict arises when clients are direct competitors in the same market, or because of the ownership of companies.
04/18/23 30
The Chinese Wall Model1. A set of subjects S 2. A set of companies C3. A set of objects O
– the objects concerning the same company are called company datasets.
– the function gives the company dataset for each object.
4. The function gives the conflict of interest classes for each object.
COy :
): COx (P
04/18/23 31
The Chinese Wall Model
.emptyis)( if isobject An oxsanitised
)).(),((pair theis object an of labelsecurity The oyoxo
Conflicts of interest may also arise from objects
that have been accessed in then past.
Let Ns,o = true, if subject s has had access to object o
false, if subject s never had access to object o
04/18/23 32
The Chinese Wall Model
ss – property:
That is, access is granted only if the object requested
belongs to:• a company dataset already held by the subject
(the analyst), or • an entirely different conflict of interest class.
)()(or )()(either
: with objects
ifonly object an toaccess granted is subject A
o's,
o'xoyo'yoy
trueNo'
os
04/18/23 33
The Chinese Wall Model
* - property:
That is, write access to an object is only granted if no other
object can be read which is in a different company dataset
and contains unsanitised information.
.is)( and )()(
with object an toaccess no has ifonly
object an toaccess granted is subject A
emptynoto'xo'yoy
o'reads
owrites
04/18/23 34
The Biba Model
This model addresses integrity by using a state machine
model in a similar way to BLP.
Unlike BLP there is no single high-level integrity policy.
Instead, there is a variety of approaches.
objects. and subjects tolevelsintegrity assign which
: and : functions
and levels,integrity of ),( lattice a
usesIt
LOfLSf
L
OS
04/18/23 35
The Biba Model
• The integrity policies guarantee that information only flows downwards.
• In particular, “clean” high level entities cannot be corrupted by “dirty” low level entities.
04/18/23 36
The Biba Model – static integrity
up)- write(no
).()( then object (alter)modify can subject a If ofsfos OS
Simple integrity property :
“first try’’ : Integrity * - property :
These properties prevent clean subjects and objects from
being contaminated by dirty information.
down).-read no(
).()( then object (observe) readcan subject a If ofs fos OS
04/18/23 37
The Biba Model – static integrity
up)- write(no
).()( then object (alter)modify can subject a If ofsfos OS Simple integrity property :
Integrity * - property :
).()( ifonly object an toaccess write
havecan then object (observe) readcan subject a If
ofo' fo'
sos
OO
04/18/23 38
The Biba Model – dynamic integrity
This uses an approach similar to the Chinese Wall model,
in which the integrity of a subject is adjusted if the subject
comes into contact with low-level information.
04/18/23 39
The Biba Model – dynamic integrity
.operation
thebefore levelsintegrity theare )( and )( where
)),()(inf( is of levelintegrity new The
level.integrity any at object an )( can Subject
ofsf
o,fsfs
os
OS
OS
observereadSubject low watermark property:
Object low watermark property:
.operation
thebefore levelsintegrity are )( and )( where
)),()(inf( is of levelintegrity new The
level.integrity any at object an can Subject
ofsf
o,fsfo
os
OS
OS
modify
04/18/23 40
The Clark - Wilson Model
This model addresses the security requirements of commercial applications.
The requirements of this model are to secure data integrity.
Integrity requirements are divided into,• internal consistency: properties of the internal state that
can be enforced by the computer system.• external consistency: the relation of the internal state to
the real world: enforced by means outside the system, e.g. auditing.
04/18/23 41
The CW Model
Integrity is enforced by,• well formed transactions: data items can be manipulated only by a specific set of programs; users have access to programs rather than data items.• separation of duties: users have to collaborate to
manipulate data and collude to penetrate the system.
04/18/23 42
The CW Model
In the Clark-Wilson model,• Subjects must be identified and authenticated,• Objects can be manipulated only by a restricted set of
programs,• Subjects can execute only a restricted set of programs,• A proper audit log has to be maintained,• The system must be certified to work properly.
04/18/23 43
The CW Model
In the Clark-Wilson model,• Data items governed by the security policy are called
Constrained Data Items (CDIs),• Inputs captured as Unconstrained Data Items (UDIs),• Conversion of UDIs to CDIs is a critical part of the system which
cannot be controlled solely by the security mechanisms in the system,
• CDIs can be manipulated by Transformation Procedures (TPs)• The integrity of a state is checked by Integrity Verification
Procedure (IVPs)
04/18/23 44
The CW Model
Security procedures are defined by 5 certification rules:1. Integrity Verification Procedures must ensure that all Constrained Data
Items are in a valid state when the IVP is run.2. Transformation Procedures must be certified to be valid, i.e. CDIs must
always be transformed into CDIs.3. The access rules must certify any separation of duties requirements.4. All TPs must write to an append-only log.5. Any TP that takes a UDI as input must either convert it into a CDI or
reject it.
04/18/23 45
The CW ModelSecurity procedures are enforced by the 4 rules:1. The system must maintain and protect the list of entries:
(TPi:CDIa,CDIb, … ) giving the CDIs that the TP is certified to access.2. The system must maintain and protect the list of entries:
(UserID,TPi:CDIa,CDIb, … ) specifying the TPs that users can execute.3. The system must authenticate each user requesting to execute a TP.4. Only a subject that may certify an access rule for a TP may modify
the respective entry in the list. This subject must not have execute rights on that TP.
04/18/23 46
In the BLP model information can flow from a low security level to a high security level through access operations without any loss of confidential information.
Informally, a state transition from one object x to another object y causes
information flow if we learn more about x by observing y.
Information - Flow Models
04/18/23 47
If you already know x then no information can flow
from x. Otherwise we have:
• Explicit information flow
-- Observing y after the assignment y:=x tells you the value of x.
• Implicit information flow
-- Observing y after the conditional statement • If x=0 then y:=1
may tell you something about x even if y is not 1,
e.g. if y = 2. Then we deduce that x is not 0.
Information - Flow Models
04/18/23 48
A precise quantitative definition for information
flow can be given in terms of Information Theory.– The information flow from x to y is measured by
the equivocation (conditional entropy)
H (x | y) of x, given y.
Information - Flow Models
04/18/23 49
Information - Flow Models
The components of the information flow model are:• A lattice• A set of labeled objects
•
(covert). illegal is this violates thatflow ninformatioAny
.
:ifonly permitted is label withobject an to label
withobject an fromflow ninformatio :policysecurity The
21
21
cc
cc
04/18/23 50
Information - Flow Models
An IF system is secure if there is no illegal information flow.
• Advantages: it covers all kinds of information flow.• Disadvantages: far more difficult to design such systems.
E.g. checking whether a given system in the IF model is secure is an undecidable problem.
04/18/23 51
Information - Flow Models
One must also distinguish between – static enforcement and – dynamic enforcement
of the information flow policies.
04/18/23 52
Information - Flow Models
An alternative to information flow models are – non-interference models.
These provide a different formalism to describe the
knowledge of subjects regarding the state of the system.
system.
theof views'on influence no have of actions
theif subject with interferenot doesSubject
21
21
ss
s s