Documente Academic
Documente Profesional
Documente Cultură
Lecture 2
Security Models
Syed Naqvi
snaqvi@ieee.org
1
Access Control
♦ Access control constrains what a User can do directly, as
well as what programs executing on his behalf are allowed
to do.
2
Discretionary Access Control
♦ used to control access by restricting a subject's
access to an object. It is generally used to limit a
user's access to a file. In this type of access
control it is the owner of the file who controls
other users' accesses to the file
Individuals Resources
Application
Server 1 Access List
Name Access
Server 2 Tom Yes
John No
Cindy Yes
Server 3
3
Mandatory Access Control
Individuals Resources
Server 1
“Top Secret”
Secret”
Server 2
“Secret”
Secret”
Server 3
“Classified”
Classified”
DAC MAC
♦ Object owner has full ♦ Object owner CAN have
power some power
♦ Complete trust in users ♦ Only trust in
♦ Decisions are based only administrators
on user id and object ♦ Objects and tasks
ownerships themselves can have ids
♦ Impossible to control data ♦ Makes data flow control
flow possible
4
Role-Based Access Control
♦ A user has access to an object based on the assigned role.
Role 1
Server 1
Role 2 Server 2
Server 3
Role 3
5
Role-Based Access Control
♦ Roles are engineered based on the principle of least
privileged.
♦ A role contains the minimum amount of permissions to
instantiate an object.
♦ A user is assigned to a role that allows him or her to
perform only what’s required for that role.
♦ No single role is given more permission than the same
role for another user.
User Permission
Assignment Assignment
Users Roles Operations Objects
Permissions
user_sessions role_sessions
(one-to-many) (many-to-many)
Sessions
6
Role-Based Access Control
♦ Example: Hospital Setup
– The role of doctor can include operations to perform
diagnosis, prescribe medication, and order laboratory
tests.
– The role of a researcher can be limited to gathering
anonymous clinical information for studies.
Confidentiality Model
7
The Bell-LaPadula Model
♦ also called the multi-level model,
8
The Bell-LaPadula Model
♦ Simplest type of confidentiality classification is a set of
security clearances arranged in a linear (total) ordering.
♦ Clearances represent the security levels.
♦ The higher the clearance, the more sensitive the info.
♦ Basic confidential classification system:
individuals documents
Top Secret (TS) Peter, Thomas Personnel Files
Secret (S) Sally, Samuel Electronic Mails
Confidential (C) Claire, Clarence Activity Log Files
Unclassified (UC) Hannah, John Telephone Lists
9
The Bell-LaPadula Model
♦ Basic Security Theorem:
– Let Σ be a system with secure initial state σ0
– Let T be the set of state transformations.
– If every element of T preserves the simple
security condition, preliminary version, and the
*-property, preliminary version,
Then every state σi, i≥0, is secure.
10
The Bell-LaPadula Model
♦ Security Lattice
{NUC, EUR, US}
Φ
♦ William may be cleared into level (SECRET, {EUR})
♦ George into level (TS, {NUC, US}).
♦ A document may be classified as (C, {EUR})
♦ Someone with clearance at (TS, {NUC, US}) will be denied access to
document with category EUR.
11
The Bell-LaPadula Model
♦ Let C(S) be the category set of subject S.
♦ Let C(O) be the category set of object O.
♦ Simple Security Condition (not read up):
S can read O if and only if S dom O and
S has discretionary read access to O.
♦ *-Property (not write down):
S can write to O if and only if O dom S and
S has discretionary write access to O.
♦ Basic Security Theorem:
Let Σ be a system with secure initial state σ0
Let T be the set of state transformations.
If every element of T preserves the simple security
condition, preliminary version, and the *-property,
preliminary version,
Then every state σi, i≥0, is secure.
09 November 2010 Lecture 2: Security Models 23
12
The Bell-LaPadula Model
♦ Example:
• Alice’s level is secret, Bob’s level is unclassified, Carol’s level
is classified
• Memo1 is classified and Memo2 is top secret
• The simple security property specifies that:
– Memo2 should not be read by Alice, Bob, or Carol
– Bob is not allowed to read memo1, but both Alice and
Carol are allowed to read it
• The *-property specifies that:
– Bob and Carol can write to memo1, since its level is not
lower than theirs
– Alice’s level is secret, so she is not permitted to write to
memo1
– Alice, Bob, and Carol are all at a lower level than memo2
and can therefore write to it
Integrity Model
13
The Biba Model
♦ Based on Bell-LaPadula
– Subject, Objects
– Integrity Levels with dominance relation
• Higher levels
– more reliable/trustworthy
– More accurate
♦ Information transfer path:
Sequence of subjects, objects where
– si r oi
– si w oi+1
14
The Biba Model
♦ Prevents corruption of clean higher level entities by dirty
lower level entities.
– Biba model addresses integrity whereas Bell-La Padula concerns
disclosure of information
♦ Notations
– Subjects and objects are ordered by an integrity scheme denoted
I(s) and I(o)
♦ Properties
– Simple Integrity Property: Subject s can modify (or have write
access to) object o iff I(s) ≥ I(o)
– Integrity *-property: If subject s has read access to object o with
integrity level I(o), s can have write access to object p iff I(o) ≥
I(p)
♦ Problem: Ignores secrecy
♦ Ring Policy
– sro allows any subject to read any object
– s1 x s2 ⇔ i(s2) ≤ i(s1)
15
The Biba Model
♦ Biba’s Model: Strict Integrity Policy (dual of
Bell-LaPadula)
– s r o ⇔ i(s) ≤ i(o) (no read-down)
– s w o ⇔ i(o) ≤ i(s) (no write-up)
– s1 x s2 ⇔ i(s2) ≤ i(s1)
16
The Chinese Wall Model
♦ Used mainly by services and consultancy firms
♦ Effective in securing data/information that may lead to
conflict of interests within an organization/corporation
♦ Intended to prevent unauthorized flow of information from
one organization to another via consultant working at both
♦ Introduces concept of separation of duty into access
control
♦ GENERAL RULE: there must be no information flow that
causes a conflict of interest
competitors
Company A Company B
Bank X
updates Bank’s has access to
consults for portfolio w/ info Bank’s portfolio consults for
on Company A
Analyst A Analyst B
17
The Chinese Wall Model
♦ The simple security policy
– A subject has access to a particular object in
company X only if such subject has had access
to such object
♦ The * property
– A subject can write to an object in a given
company X only if such subject cannot read any
data (or objects) from any company that is
competitor of X unless such objects have been
sanitized
18
The Chinese Wall Model
♦ Set of subjects S
♦ Set of objects O
♦ Set of companies C
♦ Set of conflict of interest classes K
– Each company belongs to at least one conflict of interest class
♦ Every unsanitized object has a security label (x(o), y(o))
– y : O ! C identifies the owner of an object
– x : O ! K identifies the object’s conflict of interest class
♦ Every sanitized object has the same security label
♦ A history matrix H
19
The Chinese Wall Model
♦ Consistency
– If y(o1) = y(o2) then x(o1) = x(o2)
– If o1 and o2 are owned by the same company then they
belong to the same COI
• If o1 and o2 belong to different COIs then they are owned by
different companies
♦ Simple security property
– s can access o if for all p such that [s, p] = 1 either x(o)
≠ x(p) or y(o) = y(p)
– s can access o if s hasn’t already accessed an object in
the same COI or o contains sanitized information
20
Exercise …
♦ Define 3 project managers with different classification
levels.
♦ Populate 6 databases (could simply be arrays) with
different classification levels.
♦ Any project manager can choose a database corresponding
to his/her clearance level.
– But once (s)he has selected a database then (s)he can no longer
access the other databases
21