Special systems: MLS

Multilevel security [“Red book” US-DOD 1987] Considers the assurance risk when

composing multilevel secure systems evaluated under security evaluation criteria. Analyzing the security of interoperating and

individually secure systems can be done in polynomial time.

Given a non-secure network configuration, then re-configuring the connections in an optimal way (to minimize the impact on interoperability) is NP.

Multilevel Security (MLS)[Bell LaPadula Model]

Security levels L define classification of subjects (processes) and objects. eg, Unclassified, Secret, Top-Secret.

Policy: lattice of security levels (L,<=) x<=y: level x information may flow to

level y. Unclassified < Secret < Top-Secret

Evaluation Criteria[“Orange” & “Red” Books]

MLS systems assured to different levels of assurance based on evaluation criteria.

(worst) D<C1<C2<C3<B1<B2<B3<A1 (best). Evaluated systems must meet minimum risk

requirements.

Systems storing high-risk combinations of data need high levels of assurance.

System Stores Minimum Assurance

topsecret+unclassified

B3

topsecret+secret B2

secret+unclassified B1

Configuring MLS NetworksChannel Cascade Attacks

S

TS

U

SU

S

TSB2

B1

B3

Each evaluated system meets criteria.However, network has cascading risk: Attacker breaks system A, copies TS data to S, copies this data from System A to B to C, breaks system C, copies S(TS) data to U. B3 assurance required when protecting TS and

U, but cascade attack breaks B2 and lower systems.

AB C

Modeling MLS networksStrategy

effort((s,l),(s’,l’)) The minimum effort required to compromise the

network and copy/downgrade level l information held on system s to level l’ on system s’

Cascade problem if exists s,s’ and l, l’: effort((s,l),(s’,l’)) < system-assurance

S

TS

U

SU

S

TSB2

B1

B3

AB C

B3B3 B1B3

B2

Modeling MLS networksStrategy (using Constraints)

Systems as flow-constraints between the levels of data that they store.

S

TS

U

SU

S

TSB2

B1

B3

AB C

B3 B1

B3B2

Modeling MLS networksStrategy (using Constraints)

Systems as flow-constraints between the levels of data that they store.Networks as flow-constraints that represent the channels that connect systems

S

TS

U

SU

S

TSB2

B1

B3

AB C

Modeling MLS networksStrategy (using Constraints)

Systems as flow-constraints between the levels of data that they store.Networks as flow-constraints that represent the channels that connect systemsSoft constraint semi-ring as assurance levels

S

TS

U

SU

S

TSB2

B1

B3

AB C

3 1

32

0 0

Modeling MLS networksStrategy (using Constraints)

Systems as flow-constraints between the levels of data that they store.Networks as flow-constraints that represent the channels that connect systemsSoft constraint semi-ring as assurance levelsCascade Detection: finding cascades.

S

TS

U

SU

S

TSB2

B1

B3

AB C

3

2

03

Modeling MLS networksStrategy (using Constraints)

Systems as flow-constraints between the levels of data that they store.Networks as flow-constraints that represent the channels that connect systemsSoft constraint semi-ring as assurance levelsCascade Detection: finding cascades.

S

TS

U

SU

S

TSB2

B1

B3

AB C

1

2

0 03

U

S

TSB

S

TSA

U

SC

SD

Ex1: Cascade Free Path

Ex1: Cascade Free Path

U

S

TSB

S

TSA

U

SC

SD

TsA

TdA

TsB

SdB

SsC *1

s

UdC *1

d

S

TS

U

SU

S

TSB2

B1

B3

A C

TsA

TdA

TsB

SdB

SsC *1

s

UdC *1

d

Ex1: Cascade Free Path

U

S

TSB

S

TSA

U

SC

SD 0 13 00 0 0

E = max( {0,0,3,0,1,0,0} ) = 3

R(TsA,Sd

B)

R(TsA,Ud

C)

R(TSA, *1

d)

3

0

2

R = max( {2,3,0} ) = 3

U

S

TSB

S

TSA

U

SC

SD

Ex2: Cascading Path

Ex2: Cascading Path

U

S

TSB

S

TSA

U

SC

SD

S

TS

U

SA C

S

D C2

B2

B1

Ex2: Cascading Path

U

S

TSB

S

TSA

U

SC

SD 2 10 00 0 0

TsA Ss

D SsC *1

s

SdA Sd

D UdC *1

d

E = max( {2,0,0,0,1,0,0} ) = 2

R(TsA,Sd

D)

R(TsA,Ud

C)

R(TsA ,*1

d )

2

0

3

R = max( {2,3,0} ) = 3

Conclusion

Secure interoperation is difficult!Remember: when you compose two secure systems you could obtain a not secure system!In real life: Add comunications only when really

needed!

Questions?

Thank you for your attention

Crisp toward soft constraints

P={

x3

x4

x1

x2 V,

{red,blue,yellow}

{blue,yellow}

{red,blue}{yellow}

D,

C={pairwise-different}

C, PC, con, def, a}

x1 x2 x3 x4

combination

projection

Crisp toward soft constraints

x3

x4

x1

x2

{red,blue,yellow}

{blue,yellow}

{red,blue}{yellow}

C={pairwise-different} 5$

3$

2$

15$15$x1 x2 x3 x4

Combination (+)

Projection (min)

15$

13$

13$

<+,min,+,+,0>

<[0,1],max,min,0,1>

<[0,1],max,,0,1>

<{false,true},,,false,true>

Probabilistic

Fuzzy

Classical

Weighted

C-semiring <A,+,,0,1>:

The Semiring Framework

A c-semiring is a tuple <A,+,×,0,1> such that: A is the set of all consistency values and 0, 1A.

0 is the lowest consistency value and 1 is the highest consistency value;

+, the additive operator, is a closed, commutative, associative and idempotent operation such that 1 is its absorbing element and 0 is its unit element;

×, the multiplicative operator, is a closed and associative operation such that 0 is its absorbing element, 1 is its unit element and × distributes over +.

Stefano Bistarelli, Ugo Montanari, and Francesca Rossi, Semiring-based Constraint Solving and OptimizationJournal of the ACM, 44(2):201–236, Mar 1997.

Stefano Bistarelli, Ugo Montanari, and Francesca Rossi, Semiring-based Constraint Solving and OptimizationJournal of the ACM, 44(2):201–236, Mar 1997.

Semiring-based Constraints

Given a semiring <A,+,×, 0, 1> , an ordered set of variables V over a finite domain D, a constraint is a function which maps an assignment of the variables in the support of c, supp(c) to an element of A.

Notation c represents the constraint function c evaluated under instantiation , returning a semiring value.Given two constraints c1 and c2, their combination is defined as (c1c2) = c1×c2 .

The operation C represents the combination of a set of constraints C.a· b iff a+b=bc1 v c2 iff 8 c1 · c2

Stefano Bistarelli, Ugo Montanari and Francesca Rossi, Soft Concurrent Constraint Programming,Proceedings of ESOP-2002, LNCS, April 2002.

Stefano Bistarelli, Ugo Montanari and Francesca Rossi, Soft Concurrent Constraint Programming,Proceedings of ESOP-2002, LNCS, April 2002.