information security principles & applications topic 6: security policy models 虞慧群...
Post on 18-Dec-2015
243 views
TRANSCRIPT
![Page 2: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/2.jpg)
Introduction
Primary mission of information security is to ensure that systems and contents stay the same.
If no threats, we could focus on improving systems, resulting in vast improvements in ease of use and usefulness.
Attacks on information systems are a daily occurrence.
![Page 3: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/3.jpg)
Security Policy
Defines what it means for a system to be secure
Formally: Partitions a system into Set of secure (authorized) states Set of non-secure (unauthorized) states
Secure system is one that Starts in authorized state Cannot enter unauthorized state
![Page 4: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/4.jpg)
Secure System - Example
Is this Finite State Machine Secure? A is start state ? B is start state ? C is start state ? How can this be made secure if not? Suppose A, B, and C are authorized states ?
A B C D
Unauthorizedstates
Authorizedstates
![Page 5: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/5.jpg)
Additional Definitions:
Security breach: system enters an unauthorized state Let X be a set of entities, I be information.
I has confidentiality with respect to X if no member of X can obtain information on I
I has integrity with respect to X if all members of X trust I Trust I, its conveyance and protection (data integrity) I maybe origin information or an identity (authentication) I is a resource – its integrity implies it functions as it should
(assurance) I has availability with respect to X if all members of X can access I
Time limits (quality of service)
![Page 6: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/6.jpg)
Confidentiality Policy
Also known as information flow policy Transfer of rights Transfer of information without transfer of rights Temporal context
Highly developed in Military/Government
![Page 7: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/7.jpg)
Integrity Policy
Defines how information can be altered Entities allowed to alter data Conditions under which data can be altered Limits to change of data
Examples: Purchase over $1000 requires signature Check over $10,000 must be approved by one person
and cashed by another Separation of duties : for preventing fraud
Highly developed in commercial world
![Page 8: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/8.jpg)
Availability Policy
An availability policy describes what services must be provided.
It may present parameters within which the service will be accessible.
It may require a level of service.
![Page 9: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/9.jpg)
Security Mechanism
Policy describes what is allowed and/or what is not.
Mechanism An entity/procedure that enforces (part of) policy.
Example Policy: Students should not copy homework. Mechanism: Disallow access to files owned by
other users. Does mechanism enforce policy?
![Page 10: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/10.jpg)
Security Model
Security Policy: What is/isn’t authorized Problem: Policy specification often informal
Implicit vs. Explicit Ambiguity
Security Model: Model that represents a particular policy (policies) Model must be explicit, unambiguous Abstract details for analysis
![Page 11: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/11.jpg)
High-Level Policy Languages
High-level: Independent of mechanisms Constraints expressed independent of enforcement
mechanism Constraints restrict entities, actions Constraints expressed unambiguously
Requires a precise language, usually a mathematical, logical, or programming-like language
Example: Domain-Type Enforcement Language Subjects partitioned into domains Objects partitioned into types Each domain has a set of rights over each type
![Page 12: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/12.jpg)
Example: Web Browser
Goal: restrict actions of Java programs that are downloaded and executed under control of web browser
Language specific to Java programs Expresses constraints as conditions
restricting invocation of entities
![Page 13: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/13.jpg)
Expressing Constraints Entities are classes, methods
Class: set of objects that an access constraint constrains
Method: set of ways an operation can be invoked Operations
Instantiation: s creates instance of class c: s ├ c Invocation: s1 executes object s2: s1 |→s2
Access constraints deny(s op x) when b when b is true, subject s cannot perform op on
(subject or class) x; empty s means all subjects
![Page 14: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/14.jpg)
Sample Constraints
Downloaded program cannot access password database file on UNIX system
Program’s class and methods for files:class File {
public file(String name);public String getfilename();public char read();….
Constraint:deny(|→ file.read) when
(file.getfilename() == “/etc/passwd”)
![Page 15: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/15.jpg)
Low-Level Policy Languages
Low-level: close to mechanisms A set of inputs or arguments to commands that set, or
check, constraints on a system Example: Tripwire: Flags what has changed
Configuration file specifies settings to be checked History file keeps old (good) example
![Page 16: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/16.jpg)
Confidentiality Policy
Also known as information flow policy Integrity is secondary objective Eg. Military mission date
Bell-LaPadula Model Formally models military requirements
Information has sensitivity levels or classification Subjects have clearance Subjects with clearance are allowed access
Multi-level access control or mandatory access control
![Page 17: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/17.jpg)
Bell-LaPadula: Basics
Mandatory access control Entities are assigned security levels Subject has security clearance L(s) = ls Object has security classification L(o) = lo Simplest case: Security levels are arranged in a
linear order li < li+1
ExampleTop secret > Secret > Confidential >Unclassified
![Page 18: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/18.jpg)
“No Read Up”
Information is allowed to flow up, not down Simple security property:
s can read o if and only if lo ≤ ls and s has read access to o
- Combines mandatory (security levels) and discretionary (permission required)
- Prevents subjects from reading objects at higher levels (No Read Up rule)
![Page 19: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/19.jpg)
“No Write Down”
Information is allowed to flow up, not down *property
s can write o if and only if ls ≤ lo and s has write access to o
- Combines mandatory (security levels) and discretionary (permission required)
- Prevents subjects from writing to objects at lower levels (No Write Down rule)
![Page 20: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/20.jpg)
Example
security level subject object
Top Secret Tamara Personnel Files
Secret Samuel E-Mail Files
Confidential Claire Activity Logs
Unclassified Ulaley Telephone Lists
• Tamara can read which objects? And write?• Claire cannot read which objects? And write?• Ulaley can read which objects? And write?
![Page 21: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/21.jpg)
Access Rules
Secure system: One in which both the properties hold
Theorem: Let Σ be a system with secure initial state σ0, T be a set of state transformations If every element of T follows rules, every state σi
secure Proof - induction
![Page 22: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/22.jpg)
Categories Total order of classifications not flexible enough
Alice cleared for missiles; Bob cleared for warheads; Both cleared for targets
Solution: Categories Use set of compartments (from power set of compartments) Enforce “need to know” principle Security levels (security level, category set)
(Top Secret, {Nuc, Eur, Asi}) (Top Secret, {Nuc, Asi})
Combining with clearance: (L,C) dominates (L’,C’) L’ ≤ L and C’ C Induces lattice of security levels
![Page 23: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/23.jpg)
Lattice of categories
{Nuc} {Eur} {Us}
{Nuc, Eur} {Nuc, Us} {Eur, Us}
{Nuc, Eur, Us}
{}
Examples of levels (Top Secret, {Nuc,Asi}) dom
(Secret, {Nuc}) (Secret, {Nuc, Eur}) dom
(Confidential, {Nuc,Eur}) (Top Secret, {Nuc}) dom
(Confidential, {Eur}) Bounds
Greatest lower, Lowest upper glb of {X, Nuc, Us} & {X, Eur,
Us}? lub of {X, Nuc, Us} & {X, Eur,
Us}?
![Page 24: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/24.jpg)
Access Rules Simple Security Condition: S can read O if and only
if S dominate O and S has read access to O
*-Property: S can write O if and only if O dom S and S has write access to O
Secure system: One with above properties Theorem: Let Σ be a system with secure initial state
σ0, T be a set of state transformations If every element of T follows rules, every state σi secure
![Page 25: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/25.jpg)
Problem: No write-downCleared subject can’t communicate to non-cleared subject Any write from li to lk, i > k, would violate *-property
Subject at li can only write to li and above Any read from lk to li, i > k, would violate simple security
property Subject at lk can only read from lk and below
Subject at level i can’t write something readable by subject at k Not very practical
A solution: each subject has a maximum security level and a current security level. A subject may decrease its security level from maximum in order to communicate with entities at lower security levels.
![Page 26: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/26.jpg)
Integrity Policy Requirements
Commercial requirements differ from military requirements in their emphasis on preserving data integrity.
1. Users will not write their own programs, but will use existing production programs and databases.
2. Programmers will develop and test programs on a nonproduction system; if they need access to actual data, they will be given production data via a special process, but will use it on their development system.
3. A special process must be followed to install a program from the development system onto the production system.
4. The special process in requirement 3 must be controlled and audited.
5. The managers and auditors must have access to both the system state and the system logs that are generated.
![Page 27: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/27.jpg)
Integrity Policy: Principles of operation
These requirements induce principles of operation: Separation of Duty: Single person should not be allowed to carry
out all steps of a critical function Moving a program from Dev. to Prod. system Developer and Certifier (installer) of a program Authorizing checks and cashing it
Separation of function Do not process production data on development system
Auditing Emphasis on recovery and accountability Controlled/audited process for updating code on production
system
![Page 28: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/28.jpg)
Biba’s Integrity Policy Model
Based on Bell-LaPadula (a mathematical dual of BL) Subject, Objects Integrity Levels with dominance relation
Higher levels more reliable/trustworthy More accurate
Information transfer path:Sequence of subjects, objects where si r oi
si w oi+1
![Page 29: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/29.jpg)
Policies Low-Water-Mark Policy
s w o i(o) ≤ i(s) prevents writing to higher level s r o i’(s) = min(i(s), i(o)) drops subject’s level s1 x s2 i(s2) ≤ i(s1) prevents executing higher level objects
Ring Policy s r o allows any subject to read any object s w o i(o) ≤ i(s) (same as above) s1 x s2 i(s2) ≤ i(s1)
Biba’s Model: Strict Integrity Policy (dual of Bell-LaPadula) s r o i(s) ≤ i(o) (no read-down) s w o i(o) ≤ i(s) (no write-up) s1 x s2 i(s2) ≤ i(s1)
Theorem for each: If there is an information transfer path from object o1 to object on+1, then the
enforcement of the policy requires that i(on+1) ≤ i(o1) for all n>1
![Page 30: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/30.jpg)
Chinese Wall Model
Supports confidentiality and integrity, i.e. a hybrid policy Information can’t flow between items in a Conflict of Interest set Applicable to environment of stock exchange or investment house
Models conflict of interest Objects: items of information related to a company Company dataset (CD): contains objects related to a single
company Written CD(O)
Conflict of interest class (COI): contains datasets of companies in competition Written COI(O) Assume: each object belongs to exactly one COI class
![Page 31: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/31.jpg)
Example
Bank of America
CitibankBank of the
West
Bank COI Class
Shell Oil
Union ’76
Standard Oil
ARCO
Gasoline Company COI Class
a
a
![Page 32: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/32.jpg)
CW-Simple Security Property (Read rule)
CW-Simple Security Property s can read o one of the following holds
o’ PR(s) such that CD(o’) = CD(o) o’, o’ PR(s) COI(o’) COI(o), or o has been “sanitized”
(o’ PR(s) indicates o’ has been previously read by s) Public information may belong to a CD
As is publicly available, no conflicts of interest arise So, should not affect ability of analysts to read Typically, all sensitive data removed from such information
before it is released publicly (called sanitization)
![Page 33: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/33.jpg)
Writing
Anthony, Susan work in the same trading house
Anthony can read BankOfAmercia’s CD, Susan can read Bank CitiBanks’s CD, Both can read ARCO’s CD If Anthony could write to Gas’ CD, Susan can
read it Hence, indirectly, she can read information from
BankOfAmercia’s CD, a clear conflict of interest
![Page 34: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/34.jpg)
CW-*-Property (Write rule)
CW-*- Property s can write o both of the following conditions hold.
The CW-simple security condition permits S to read O. For all unsanitized objects o’, s can read o’ CD(o’) = CD(o)
Says that s can write to an object if all the (unsanitized) objects it can read are in the same dataset
Anthony can read both CDs hence condition 1 is met He can read unsanitized objects of BankOfAmercia, hence
condition 2 is false Hence Anthony can’t write to objects in ARCO’s CD.
![Page 35: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/35.jpg)
Users
User RoleAssignment
Role PermissionAssignment
Constraints
Roles Permissions
Roles Hierarchies
Role Based Access Control
Access control in organizations is based on “roles that individual users take on as part of the organization”
A role is “is a collection of permissions”
http://csrc.nist.gov/groups/SNS/rbac/
![Page 36: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/36.jpg)
RBAC
Access depends on function, not identity Example: Allison is bookkeeper for Math Dept.
She has access to financial records. If she leaves and Betty is hired as the new bookkeeper, Betty now has access to those records. The role of “bookkeeper” dictates access, not the identity of the individual.
![Page 37: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/37.jpg)
Advantages of RBAC
Allows Efficient Security Management Administrative roles, Role hierarchy
Principle of least privilege allows minimizing damage
Separation of Duties constraints to prevent fraud Allows grouping of objects Policy-neutral - Provides generality Encompasses DAC and MAC policies
![Page 38: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/38.jpg)
RBAC
u1
u2
un
o1
o2
om
u1
u2
un
o1
o2
om
Roler
n + massignments
n massignments
Users Permission Users Permissions
(a) (b)
Administrator
Employee
Engineer
SeniorEngineer
SeniorAdministrator
Manager
![Page 39: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/39.jpg)
Permissions
RBAC (NIST Standard)
Users Roles Operations Objects
Sessions
UA
user_sessions(one-to-many)
role_sessions(many-to-many)
PA
An important difference from classical models is thatSubject in other models corresponds to a Session in RBAC
![Page 40: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/40.jpg)
Core RBAC (relations) Permissions = 2Operations x Objects UA ⊆ Users x Roles PA ⊆ Permissions x Roles assigned_users: Roles 2Users assigned_permissions: Roles 2Permissions
Op(p): set of operations associated with permission p Ob(p): set of objects associated with permission p user_sessions: Users 2Sessions
session_user: Sessions Users session_roles: Sessions 2Roles
session_roles(s) = {r | (session_user(s), r) UA)} avail_session_perms: Sessions 2Permissions
![Page 41: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/41.jpg)
Permissions
RBAC with General Role Hierarchy
Users Roles Operations Objects
Sessions
UA
user_sessions(one-to-many)
role_sessions(many-to-many)
PA
RH(role hierarchy)
![Page 42: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/42.jpg)
RBAC with General Role Hierarchy
authorized_users: Roles 2Users
authorized_users(r) = {u | r’ ≥ r &(r’, u) UA) authorized_permissions: Roles 2Permissions
authorized_permissions (r) = {p | r’ ≥ r &(p, r’) PA)
RH Roles x Roles is a partial order⊆ called the inheritance relation written as ≥. (r1 ≥ r2) authorized_users(r1) ⊆ authorized_users(r2) &
authorized_permisssions(r2) ⊆ authorized_permisssions(r1)
![Page 43: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/43.jpg)
Administrator
Employee
Engineer
SeniorEngineer
SeniorAdministrator
Manager
Example
px, py
p1, p2
pa, pb px, pye1, e2
px, pye3, e4
px, pye5
px, pyx
authorized_users(Employee)?authorized_users(Administrator)?
authorized_permissions(Employee)? authorized_permissions(Administrator)?
![Page 44: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/44.jpg)
Constrained RBAC
Permissions
Users Roles Operations Objects
Sessions
UA
user_sessions(one-to-many)
PA
RH(role hierarchy)Static
Separation of Duty
DynamicSeparation
of Duty
![Page 45: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/45.jpg)
Static Separation of Duty
SSD 2⊆ Roles x N In absence of hierarchy
Collection of pairs (RS, n) where RS is a role set, n ≥ 2; for all (RS, n) SSD, for all t ⊆RS:
|t| ≥ n ∩rt assigned_users(r)=
In presence of hierarchy Collection of pairs (RS, n) where RS is a role set, n ≥ 2;
for all (RS, n) SSD, for all t ⊆RS: |t| ≥ n ∩rt authorized_uers(r)=
![Page 46: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/46.jpg)
Dynamic Separation of Duty
DSD 2⊆ Roles x N Collection of pairs (RS, n) where RS is a role
set, n ≥ 2; A user cannot activate n or more roles from RS Formally?? [HW3?] What if both SSD and DSD contains (RS, n)?
Consider (RS, n) = ({r1, r2, r3}, 2)?
If SSD – can r1, r2 and r3 be assigned to u?
If DSD – can r1, r2 and r3 be assigned to u?
![Page 47: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/47.jpg)
MAC using RBAC
L
M1
H
M2
LR
M1R
HR
M2R
HW
M1W
LW
M2WRead Roles
(same lattice)Write Roles
(inverse lattice)
Transformation rules• R = {L1R, L2R,…, LnR, L1W, L2W,…, LnW}• Two separate hierarchies for {L1R, L2R,…, LnR} and { L1W, L2W,…, LnW}• Each user is assigned to exactly two roles: xR and LW• Each session has exactly two roles yR and yW• Permission (o, r) is assigned to xR iff (o, w) is assigned to xW)
Transformation rules• R = {L1R, L2R,…, LnR, L1W, L2W,…, LnW}• Two separate hierarchies for {L1R, L2R,…, LnR} and { L1W, L2W,…, LnW}• Each user is assigned to exactly two roles: xR and LW• Each session has exactly two roles yR and yW• Permission (o, r) is assigned to xR iff (o, w) is assigned to xW)
BLP
![Page 48: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/48.jpg)
RBAC’s Benefits
![Page 49: Information Security Principles & Applications Topic 6: Security Policy Models 虞慧群 yhq@ecust.edu.cn](https://reader035.vdocuments.mx/reader035/viewer/2022081418/56649d245503460f949fab12/html5/thumbnails/49.jpg)
Summary
Policy describes what is allowed in a system. Confidentiality policies
Bell-LaPadula model Integrity policies
Biba’s model Hybrid policies
Chinese Wall model Role-Based Access Control (RBAC) Model