26 Security Models

epgp books

 

 

Learning Objectives

  •  To review the concept of Security Models
  •  To discuss about the Models

    –  Bell-LaPadula (BLP)

–  Biba

  • To understand these concepts of system evaluation

Terminology

Trusted Computing Base (TCB) – combination of protection mechanisms

within a computer system

 

Subjects / Objects

Subjects are active (e.g., users / programs)

Objects are passive (e.g., files)

 

Reference Monitor – abstract machine that mediates subject access to objects Security Kernel – core element of TCB that enforces the reference monitor’s

security policy

Types of Access Control

 

•      Discretionary Access Control (DAC) – data owners can create and modify matrix of subject / object relationships (e.g., ACLs)

  • Mandatory Access Control (MAC) – “insecure” transactions prohibited regardless of DAC
  • Cannot enforce MAC rules with DAC security kernel

–  Someone  with read access to a file can copy it and build a new

“insecure” DAC matrix because he will be an owner of the new file.

Trust Models

  • Bell-LaPadula
  • Biba
  • Clark-Wilson
  • Chinese Wall

Bell-LaPadula (BLP) Model

 

•      BLP is formal (mathematical) description of mandatory access control

 

•      Three properties:

 

–  ds-property (discretionary security)

 

–  ss-property (simple security – no “read down”)

 

–  *-property (star property – no “write down”)

 

•      A secure system satisfies all of these properties

 

•      BLP includes mathematical proof that if a system is secure and a transition satisfies all of the properties, then the system will remain secure.

 

•      Honeywell Multics kernel was only true implementation of BLP, but it never took hold

 

•      DoD information security requirements currently achieved via discretionary access control and segregation of systems rather than BLP-compliant computers.

  • Secure information flows because they describe acceptable connections between subjects and objects of different levels of sensitivity.
  • Security-level analysis is to enable us to construct systems that can perform concurrent computation on data at two different sensitivity levels. For example, we may want to use one machine for top-secret and confidential data at the same time.
  • The programs processing top-secret data would be prevented from leaking top-secret data to the confidential data, and the confidential users would be prevented from accessing the top-secret data.
  • Thus, the BellLa Padula model is useful as the basis for the design of systems that handle data of multiple sensitivities.

Biba Model

  • Similar to BLP but focus is on integrity, not confidentiality
  • Result is to turn the BLP model upside down

– High integrity subjects cannot read lower integrity objects (no “read down”)

 

–  Subjects cannot move low integrity data to high-integrity environment

 

(no “write up”)

  • McLean notes that ability to flip models essentially renders their assurance properties useless

Clark-Wilson Model

 

•      Reviews distinction between military and commercial policy

 

–  Military policy focus on confidentiality

 

–  Commercial policy focus on integrity

  • Mandatory commercial controls typically involve who gets to do what type of transaction rather than who sees what (Example: cut a check above a certain dollar amount)
  • Two types of objects:

–  Constrained Data Items (CDIs)

 

–  Unconstrained Data Items (UDIs)

  • Two types of transactions on CDIs in model

–  Integrity Verification Procedures (IVPs)

 

–  Transformation Procedures (TPs)

  • IVPs certify that TPs on CDIs result in valid state
  • All TPs must be certified to result in valid transformation
  • System maintains        list         of         valid         relations        of         the         form:

{UserID, TP, CDI/UDI}

  • Only permitted manipulation of CDI is via an authorized TP
  • If a TP takes a UDI as an input, then it must result in a proper CDI or the TP will be rejected
  • Additional requirements

–  Auditing: TPs must write to an append-only CDI (log)

 

–  Separation of duties

Clark-Wilson versus Biba

 

•      In Biba’s model, UDI to CDI conversion is performed by trusted subject only (e.g., a security officer), but this is problematic for data entry function.

•      In Clark-Wilson, TPs are specified for particular users and functions. Biba’s model does not offer this level of granularity.

Chinese Wall

 

Focus is on conflicts of interest.

  • Principle: Users should not access the confidential information of both a client organization and one or more of its competitors.
  • How it works

–  Users have no “wall” initially.

 

– Once any given file is accessed, files with competitor information become inaccessible.

 

–  Unlike other models, access control rules change with user behavior

  • This model provides access controls that can change dynamically depending upon a user’s previous actions.
  • The main goal of this model is to protect against conflicts of interests by user’s access attempts.
  • It is based on the information flow model, where no information can flow between subjects and objects in a way that would result in a conflict of interest.
  • The model states that a subject can write to an object if, and only if, the subject cannot read another object that is in a different data set.

Finite State Machine Models

 

Automata (=Finite State Machines) are a popular way

 

Of modeling many aspects of computing systems.

 

The essential features of these are then concepts of:

 

•  State

  • State transition

Bell-LaPadula (BLP) Model

 

BLP Structure Combines,

  • Access permission matrices for access control,
  • a Security lattice, for security levels,
  • an Automaton, for access operations.

Security policies are reduced to relations in the BLP structure.

BLP Model

  • A set of subjects S
  • A set of objects O
  • A set of access operations ≤

 -fs : S→L gives the maximal security each subject can have,

 

-fc : S→L gives the current security level of each subject,

 

-fo : O→L gives the security classification objects.

 

We require : fcfs , that is, the maximal level dominates the current level.

 

Security policies: a state (b, M, f ) must satisfy,

The Biba Model

 

This model addresses integrity by using a state machine model in a similar way to BLP.

 

It uses a lattice (L, ≤) of integrity levels, and functions fs : S→L and fo:O→L which assign integrity levels to subjects and objects.

 

Unlike BLP there is no single high-level integrity policy.

 

Instead, there is a variety of approaches.

 

•        The integrity policies guarantee that information only flows downwards.

 

•      In particular, “clean” high level entities cannot be corrupted by “dirty” low level entities.

 

The Biba Model – static integrity

 

Simple integrity property :

 

 

If a subject s can modify (alter) object then fs (s)fo (o) (no-write up)

 

 

Integrity * – property :

 

 

If a subject s can read (observe) object o then s can have write access to an object o’ only if fo (o’)fs (s)

 

These properties prevent clean subjects and objects from being contaminated by dirty information.

 

The Biba Model – dynamic integrity

 

  1. Subject low watermark property:

Subject s can read (observe) an object o at any integrity level. The new integrity level of s is inf(fs, fo(o)), where fs(s) and fo(o) are the integrity levels before the operation.

 

  1. Object low watermark property:

Subject s can modify an object o at any integrity level. The new integrity level of o is inf(fs, fo(o)), where fs(s) and fo(o) are the integrity levels before the operation.

 

Summary

  • Outlined the purpose of security models
  • Discussed about various security models
  • Discussed about the properties of security models
you can view video on Security Models