|
Chapter 5: Confidentiality Policies
|
tarix | 06.10.2018 | ölçüsü | 100,5 Kb. | | #72659 |
|
Overview - What is a confidentiality model
Bell-LaPadula Model - General idea
- Informal description of rules
Overview Goals of Confidentiality Model Bell-LaPadula Model - Informally
- Example Instantiation
Confidentiality Policy Goal: prevent the unauthorized disclosure of information - Deals with information flow
- Integrity incidental
Multi-level security models are best-known examples - Bell-LaPadula Model basis for many, or most, of these
Bell-LaPadula Model, Step 1 Security levels arranged in linear ordering - Top Secret: highest
- Secret
- Confidential
- Unclassified: lowest
Levels consist of security clearance L(s)
Example
Reading Information Information flows up, not down - “Reads up” disallowed, “reads down” allowed
Simple Security Condition (Step 1) - Subject s can read object o iff L(o) ≤ L(s) and s has permission to read o
- Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission)
- Sometimes called “no reads up” rule
Writing Information Information flows up, not down - “Writes up” allowed, “writes down” disallowed
*-Property (Step 1) - Subject s can write object o iff L(s) ≤ L(o) and s has permission to write o
- Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission)
- Sometimes called “no writes down” rule
Basic Security Theorem, Step 1 If a system is initially in a secure state, and every transition of the system satisfies the simple security condition, step 1, and the *-property, step 1, then every state of the system is secure - Proof: induct on the number of transitions
Bell-LaPadula Model, Step 2 Expand notion of security level to include categories Security level is (clearance, category set) Examples - ( Top Secret, { NUC, EUR, ASI } )
- ( Confidential, { EUR, ASI } )
- ( Secret, { NUC, ASI } )
Levels and Lattices (A, C) dom (A, C) iff A ≤ A and C C Examples - (Top Secret, {NUC, ASI}) dom (Secret, {NUC})
- (Secret, {NUC, EUR}) dom (Confidential,{NUC, EUR})
- (Top Secret, {NUC}) dom (Confidential, {EUR})
Let C be set of classifications, K set of categories. Set of security levels L = C K, dom form lattice - lub(L) = (max(A), C)
- glb(L) = (min(A), )
Levels and Ordering Security levels partially ordered - Any pair of security levels may (or may not) be related by dom
“dominates” serves the role of “greater than” in step 1 - “greater than” is a total ordering, though
Reading Information Information flows up, not down - “Reads up” disallowed, “reads down” allowed
Simple Security Condition (Step 2) - Subject s can read object o iff L(s) dom L(o) and s has permission to read o
- Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission)
- Sometimes called “no reads up” rule
Writing Information Information flows up, not down - “Writes up” allowed, “writes down” disallowed
*-Property (Step 2) - Subject s can write object o iff L(o) dom L(s) and s has permission to write o
- Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission)
- Sometimes called “no writes down” rule
Basic Security Theorem, Step 2 If a system is initially in a secure state, and every transition of the system satisfies the simple security condition, step 2, and the *-property, step 2, then every state of the system is secure - Proof: induct on the number of transitions
- In actual Basic Security Theorem, discretionary access control treated as third property, and simple security property and *-property phrased to eliminate discretionary part of the definitions — but simpler to express the way done here.
Problem Colonel has (Secret, {NUC, EUR}) clearance Major has (Secret, {EUR}) clearance - Major can talk to colonel (“write up” or “read down”)
- Colonel cannot talk to major (“read up” or “write down”)
Clearly absurd!
Solution Define maximum, current levels for subjects - maxlevel(s) dom curlevel(s)
Example - Treat Major as an object (Colonel is writing to him/her)
- Colonel has maxlevel (Secret, { NUC, EUR })
- Colonel sets curlevel to (Secret, { EUR })
- Now L(Major) dom curlevel(Colonel)
- Colonel can write to Major without violating “no writes down”
- Does L(s) mean curlevel(s) or maxlevel(s)?
- Formally, we need a more precise notation
DG/UX System Provides mandatory access controls - MAC label identifies security level
- Default labels, but can define others
Initially - Subjects assigned MAC label of parent
- Initial label assigned to user, kept in Authorization and Authentication database
- Object assigned label at creation
MAC Regions
Directory Problem Process p at MAC_A tries to create file /tmp/x /tmp/x exists but has MAC label MAC_B Create fails - Now p knows a file named x with a higher label exists
Fix: only programs with same MAC label as directory can create files in the directory - Now compilation won’t work, mail can’t be delivered
Multilevel Directory Directory with a set of subdirectories, one per label - Not normally visible to user
- p creating /tmp/x actually creates /tmp/d/x where d is directory corresponding to MAC_A
- All p’s references to /tmp go to /tmp/d
p cd’s to /tmp/a, then to .. - System call stat(“.”, &buf) returns inode number of real directory
- System call dg_stat(“.”, &buf) returns inode of /tmp
Object Labels Requirement: every file system object must have MAC label Roots of file systems have explicit MAC labels - If mounted file system has no label, it gets label of mount point
Object with implicit MAC label inherits label of parent
Object Labels Problem: object has two names - /x/y/z, /a/b/c refer to same object
- y has explicit label IMPL_HI
- b has explicit label IMPL_B
Case 1: hard link created while file system on DG/UX system, so … Creating hard link requires explicit label - If implicit, label made explicit
- Moving a file makes label explicit
Object Labels Case 2: hard link exists when file system mounted - No objects on paths have explicit labels: paths have same implicit labels
- An object on path acquires an explicit label: implicit label of child must be preserved
so … Change to directory label makes child labels explicit before the change
Object Labels Symbolic links are files, and treated as such, so … When resolving symbolic link, label of object is label of target of the link - System needs access to the symbolic link itself
Using MAC Labels Simple security condition implemented *-property not fully implemented - Process MAC must equal object MAC
- Writing allowed only at same security level
Overly restrictive in practice
MAC Tuples Up to 3 MAC ranges (one per region) - Upper bound must dominate lower bound of range
Examples - [(Secret, {NUC}), (Top Secret, {NUC})]
- [(Secret, ), (Top Secret, {NUC, EUR, ASI})]
- [(Confidential, {ASI}), (Secret, {NUC, ASI})]
MAC Ranges [(Secret, {NUC}), (Top Secret, {NUC})] [(Secret, ), (Top Secret, {NUC, EUR, ASI})] [(Confidential, {ASI}), (Secret, {NUC, ASI})] (Top Secret, {NUC}) in ranges 1, 2 (Secret, {NUC, ASI}) in ranges 2, 3 [(Secret, {ASI}), (Top Secret, {EUR})] not valid range - as (Top Secret, {EUR}) dom (Secret, {ASI})
Objects and Tuples Objects must have MAC labels - May also have MAC label
- If both, tuple overrides label
Example - Paper has MAC range:
- [(Secret, {EUR}), (Top Secret, {NUC, EUR})]
MAC Tuples Process can read object when: - Object MAC range (lr, hr); process MAC label pl
- pl dom hr
- Process MAC label grants read access to upper bound of range
Example - Peter, with label (Secret, {EUR}), cannot read paper
- (Top Secret, {NUC, EUR}) dom (Secret, {EUR})
- Paul, with label (Top Secret, {NUC, EUR, ASI}) can read paper
- (Top Secret, {NUC, EUR, ASI}) dom (Top Secret, {NUC, EUR})
MAC Tuples Process can write object when: - Object MAC range (lr, hr); process MAC label pl
- pl (lr, hr)
- Process MAC label grants write access to any label in range
Example - Peter, with label (Secret, {EUR}), can write paper
- (Top Secret, {NUC, EUR}) dom (Secret, {EUR}) and (Secret, {EUR}) dom (Secret, {EUR})
- Paul, with label (Top Secret, {NUC, EUR, ASI}), cannot read paper
- (Top Secret, {NUC, EUR, ASI}) dom (Top Secret, {NUC, EUR})
Key Points Confidentiality models restrict flow of information Bell-LaPadula models multilevel security - Cornerstone of much work in computer security
Dostları ilə paylaş: |
|
|