04/18/23 1

Computer SecuritySecurity models – an overview.

04/18/23 2

Finite State Machine Models

Automata (=Finite State Machines) are a popular way Of modeling many aspects of computing systems. The essential feature of these are then concepts of:• State• State transition

04/18/23 3

Bell-LaPadula (BLP) Model

BLP StructureCombines,• .Access permission matrices for access control,• a Security lattice, for security levels,• an Automaton, for access operations.

Security policies are reduced to relations in the BLP structure.

04/18/23 4

BLP Model• A set of subjects S• A set of objects O• A set of access operations A = {execute,read,append,write}• A set L of security levels, with a partial ordering .

04/18/23 5

BLP ModelWe want to use the state of the system to check its security.

The state set is: B xM x F, where

• B = P (SxOxA) the set of current accesses b

• .M is the set of permission matrices M

• A set of security level assignments F Ls x Ls x Lo.

04/18/23 6

BLP Model

The security level assignments F Ls x Ls x Lo.

F has elements f = , where

objects. of tionclassificasecurity the gives O :–subject, each of levelsecurity current the gives :–

have, cansubject eachsecurity maximal the gives :–

L fLS fLS f

O

C

S

level.current the dominates level maximal the is,that , :require We SC ff

),,( OCS fff

04/18/23 7

BLP Model

Security policies: a state (b,M,f ) must satisfy,

1. Simple security property (ss-property): – for each access request (s,o,a) in b, with access

operation a = read, or write, the security level of s must dominate the classification of o, i.e.,

This is a no read/write up security policy

)()( sfof SO

04/18/23 8

BLP Model2. Star property (*-property):

– for each access request (s,o,a) in b, with access operation a = append, or write, the current security level of s is dominated by the classification of the object o,

i.e. . This is a no append/write down policy.

Also, if there is an (s,o,a) in b with a = append or write, then we must have

for all o’ with (s,o’,a’ ) in b and a’ = read or write

)()( ofsf OC

(o)f(o')f OO

04/18/23 9

BLP Model

3. Discretionary security property (ds-property):

-- for each access (s,o,a) in b, we must have .soMa

04/18/23 10

BLP Model

The *-property implies that is not possible to send messages to

low level subjects. There are two ways to remedy this.• Temporarily downgrade a high level subject this is why we

introduced the current security level .• Identify a set of subjects that are permitted to violate the

*-property .

These are called trusted subjects.

)(sfC

04/18/23 11

BLP Security

• A state v = (b,M,f ) is called secure if all three security properties are satisfied.

• A transition from state v1 = (b1,M1,f1) to state v2 = (b2,M2,f2) is secure if v2 is secure whenever v1 is.

04/18/23 12

BLP Security

TheoremIf all state transitions are secure and if the initial state is secure then every subsequent state is secure, no matter which inputs occur.

04/18/23 13

BLP Security

Proof -informal

A formal proof would proceed by induction on the length of the input sequences. It would build on the fact that security is preserves by state transitions.

RemarkThis theorem means that to check security you only need to check that state transitions preserve security.

04/18/23 14

BLP Security

Proof, the ss-property

A state transition from (b1,M1,f1) to (b2,M2,f2)

preserves the ss-property if and only if:

.ba)o,(s, then ,fto respectwith

property-ssthe satisfy notdoes ba)o,(s, if

.fto respectwith property-ss

the satisfies ba)o,(s,with ba)o,(s, every

22

1

2

12

04/18/23 15

BLP Security

Proof, the * & ds-property

Preservation of the *-property and the ds-property can

be described in a similar way.

04/18/23 16

BLP Security

McLean defined a BLP system which• downgrades all subjects to the lowest level,• downgrades all objects to the lowest level,• enters all access rights in all positions of the access

control matrix M.

04/18/23 17

BLP Security

A BLP system is only as good as its state

transitions are.

When a security system is designed within the framework

of a model, it is important that the implementation of the

primitives of the model captures correctly the security

requirements of the system.

04/18/23 18

Limitations of BLP

The BLP model,

1. only deals with confidentiality, not integrity,2. does not address management of access control,3. contains covert channels.

04/18/23 19

Limitations of BLP

• These are features of BLP, and should not be regarded as flaws.• Limiting the goals of a model makes it easier to deal with security issues • BLP does not state policies for the modification of access

rights.

BLP was originally intended for systems with no changes in the security levels.

04/18/23 20

Limitations of BLP

Covert channels are information channels that are not controlled by the security mechanism of the system.Information can flow (leak) from a high security level to a low security level as follows:

1. A low-level subject creates an object dummy.obj at its own level,

2. Its high-level accomplice, either upgrades it to a high level,

or does not.

3. Later the low level subject tries to read dummy.obj . If it can,

the covert bit is 1; otherwise it is 0.

04/18/23 21

Limitations of BLP

Telling a subject that a certain operation is or is not

permitted, constitutes information flow.

04/18/23 22

The Harrison-Ruzzo-Ullman (HRU) Model

The BLP model is not dynamic: it does not allow for the creation or deletion of subjects and objects and for changing access rights.

The HRU model defines authorization systems that address this issue.

04/18/23 23

HRU Model

• A set of subjects S• A set of objects O• A set of access rights R• An access matrix RMMM soOoSsso with ,)( ,

04/18/23 24

HRU Model

We also have six primitive operations,

- -

into/from -

os

Mr so

object etecreate/delsubject etecreate/del

enter

04/18/23 25

HRU ModelCommands in HRU are of type,

end

. . .

then

if

. . .

and if

and if

),...,( command

2

1

2

1

1

22

11

.

n

osk

os

os

k

op

op

op

Minr

Minr

Minr

xxc

mm

04/18/23 26

HRU ModelBasic operations are of type,

The owner s of file f grants read access to s,

end

enter

enter

enter

create

),(_ command

,

,

,

.

fs

fs

fs

Minw

Minr

Mino

f

fsfilecreate

end

enter then if

command

fs

fs

Minr

Mino

fssreadgrant

,'

,

.),',(_

04/18/23 27

HRU Model -securityDefinitions

• An access matrix M leaks the right r if there is a command that adds the right r in a position of M that did

not previously contain r, that is,

• An access matrix M is safe with respect to the right r if no sequence of commands can transform M into a state that leaks r.

So, verifying HRU security reduces to verifying safety properties.

osos MrMros ,, ' and such that ,

': MMc

04/18/23 28

HRU Model -securityTheorems

1. Given an access matrix M and a right r, verifying the safety of M with respect to the right r is an undecidable problem.

2. Given a mono-operational * authorization system, an access matrix M and a right r, verifying the safety of M with respect to the right r is decidable.

Even if two operations per command are allowed we get undecidability.3. The safety problem for authorization systems is decidable if the

number of subjects is bounded.

* Commands contain a single operation are mono-operational

04/18/23 29

The Chinese Wall Model

This models a consultancy business where analysts have to make sure that no conflicts arise when dealing with different clients (companies).Informally, a conflict arises when clients are direct competitors in the same market, or because of the ownership of companies.

04/18/23 30

The Chinese Wall Model1. A set of subjects S 2. A set of companies C3. A set of objects O

– the objects concerning the same company are called company datasets.

– the function gives the company dataset for each object.

4. The function gives the conflict of interest classes for each object.

COy :

): COx (P

04/18/23 31

The Chinese Wall Model

.emptyis)( if isobject An oxsanitised

)).(),((pair theis object an of labelsecurity The oyoxo

Conflicts of interest may also arise from objects

that have been accessed in then past.

Let Ns,o = true, if subject s has had access to object o

false, if subject s never had access to object o

04/18/23 32

The Chinese Wall Model

ss – property:

That is, access is granted only if the object requested

belongs to:• a company dataset already held by the subject

(the analyst), or • an entirely different conflict of interest class.

)()(or )()(either

: with objects

ifonly object an toaccess granted is subject A

o's,

o'xoyo'yoy

trueNo'

os

04/18/23 33

The Chinese Wall Model

* - property:

That is, write access to an object is only granted if no other

object can be read which is in a different company dataset

and contains unsanitised information.

.is)( and )()(

with object an toaccess no has ifonly

object an toaccess granted is subject A

emptynoto'xo'yoy

o'reads

owrites

04/18/23 34

The Biba Model

This model addresses integrity by using a state machine

model in a similar way to BLP.

Unlike BLP there is no single high-level integrity policy.

Instead, there is a variety of approaches.

objects. and subjects tolevelsintegrity assign which

: and : functions

and levels,integrity of ),( lattice a

usesIt

LOfLSf

L

OS

04/18/23 35

The Biba Model

• The integrity policies guarantee that information only flows downwards.

• In particular, “clean” high level entities cannot be corrupted by “dirty” low level entities.

04/18/23 36

The Biba Model – static integrity

up)- write(no

).()( then object (alter)modify can subject a If ofsfos OS

Simple integrity property :

“first try’’ : Integrity * - property :

These properties prevent clean subjects and objects from

being contaminated by dirty information.

down).-read no(

).()( then object (observe) readcan subject a If ofs fos OS

04/18/23 37

The Biba Model – static integrity

up)- write(no

).()( then object (alter)modify can subject a If ofsfos OS Simple integrity property :

Integrity * - property :

).()( ifonly object an toaccess write

havecan then object (observe) readcan subject a If

ofo' fo'

sos

OO

04/18/23 38

The Biba Model – dynamic integrity

This uses an approach similar to the Chinese Wall model,

in which the integrity of a subject is adjusted if the subject

comes into contact with low-level information.

04/18/23 39

The Biba Model – dynamic integrity

.operation

thebefore levelsintegrity theare )( and )( where

)),()(inf( is of levelintegrity new The

level.integrity any at object an )( can Subject

ofsf

o,fsfs

os

OS

OS

observereadSubject low watermark property:

Object low watermark property:

.operation

thebefore levelsintegrity are )( and )( where

)),()(inf( is of levelintegrity new The

level.integrity any at object an can Subject

ofsf

o,fsfo

os

OS

OS

modify

04/18/23 40

The Clark - Wilson Model

This model addresses the security requirements of commercial applications.

The requirements of this model are to secure data integrity.

Integrity requirements are divided into,• internal consistency: properties of the internal state that

can be enforced by the computer system.• external consistency: the relation of the internal state to

the real world: enforced by means outside the system, e.g. auditing.

04/18/23 41

The CW Model

Integrity is enforced by,• well formed transactions: data items can be manipulated only by a specific set of programs; users have access to programs rather than data items.• separation of duties: users have to collaborate to

manipulate data and collude to penetrate the system.

04/18/23 42

The CW Model

In the Clark-Wilson model,• Subjects must be identified and authenticated,• Objects can be manipulated only by a restricted set of

programs,• Subjects can execute only a restricted set of programs,• A proper audit log has to be maintained,• The system must be certified to work properly.

04/18/23 43

The CW Model

In the Clark-Wilson model,• Data items governed by the security policy are called

Constrained Data Items (CDIs),• Inputs captured as Unconstrained Data Items (UDIs),• Conversion of UDIs to CDIs is a critical part of the system which

cannot be controlled solely by the security mechanisms in the system,

• CDIs can be manipulated by Transformation Procedures (TPs)• The integrity of a state is checked by Integrity Verification

Procedure (IVPs)

04/18/23 44

The CW Model

Security procedures are defined by 5 certification rules:1. Integrity Verification Procedures must ensure that all Constrained Data

Items are in a valid state when the IVP is run.2. Transformation Procedures must be certified to be valid, i.e. CDIs must

always be transformed into CDIs.3. The access rules must certify any separation of duties requirements.4. All TPs must write to an append-only log.5. Any TP that takes a UDI as input must either convert it into a CDI or

reject it.

04/18/23 45

The CW ModelSecurity procedures are enforced by the 4 rules:1. The system must maintain and protect the list of entries:

(TPi:CDIa,CDIb, … ) giving the CDIs that the TP is certified to access.2. The system must maintain and protect the list of entries:

(UserID,TPi:CDIa,CDIb, … ) specifying the TPs that users can execute.3. The system must authenticate each user requesting to execute a TP.4. Only a subject that may certify an access rule for a TP may modify

the respective entry in the list. This subject must not have execute rights on that TP.

04/18/23 46

In the BLP model information can flow from a low security level to a high security level through access operations without any loss of confidential information.

Informally, a state transition from one object x to another object y causes

information flow if we learn more about x by observing y.

Information - Flow Models

04/18/23 47

If you already know x then no information can flow

from x. Otherwise we have:

• Explicit information flow

-- Observing y after the assignment y:=x tells you the value of x.

• Implicit information flow

-- Observing y after the conditional statement • If x=0 then y:=1

may tell you something about x even if y is not 1,

e.g. if y = 2. Then we deduce that x is not 0.

Information - Flow Models

04/18/23 48

A precise quantitative definition for information

flow can be given in terms of Information Theory.– The information flow from x to y is measured by

the equivocation (conditional entropy)

H (x | y) of x, given y.

Information - Flow Models

04/18/23 49

Information - Flow Models

The components of the information flow model are:• A lattice• A set of labeled objects

•

(covert). illegal is this violates thatflow ninformatioAny

.

:ifonly permitted is label withobject an to label

withobject an fromflow ninformatio :policysecurity The

21

21

cc

cc

04/18/23 50

Information - Flow Models

An IF system is secure if there is no illegal information flow.

• Advantages: it covers all kinds of information flow.• Disadvantages: far more difficult to design such systems.

E.g. checking whether a given system in the IF model is secure is an undecidable problem.

04/18/23 51

Information - Flow Models

One must also distinguish between – static enforcement and – dynamic enforcement

of the information flow policies.

04/18/23 52

Information - Flow Models

An alternative to information flow models are – non-interference models.

These provide a different formalism to describe the

knowledge of subjects regarding the state of the system.

system.

theof views'on influence no have of actions

theif subject with interferenot doesSubject

21

21

ss

s s