Upload
spkarthikkannan
View
219
Download
0
Embed Size (px)
Citation preview
7/28/2019 463.2 Hybrid Policies
1/54
Computer Security463.1 Hybrid Polices
Fall 2005
Based on slides provided by Matt Bishop for use with
Computer Security: Art and Science
7/28/2019 463.2 Hybrid Policies
2/54
Overview
Pure security policies Chinese wall
Security policy for medical records
Originator control policy (ORCON) Role based access control
7/28/2019 463.2 Hybrid Policies
3/54
Required
Reading:All of Chapter 7
Chapters 4,5,6 as needed
Exercises: All of the exercises in Section7.8
7/28/2019 463.2 Hybrid Policies
4/54
Security Policy Dimensions
Discretionary Access Control (DAC)
Mandatory Access Control (MAC)
Confidentiality
Example: Bell-LaPadula
Integrity
Example: Biba
7/28/2019 463.2 Hybrid Policies
5/54
Bell-LaPadula
Military classifications (objects) and clearances(subjects) Level
Compartment
Dominate: high enough level and all compartments
Basic properties Simple security condition: no reads up
*-property: no writes down
Discretionary security (ds) condition: discretionary controls arerespected
Basic Security Theorem: (R, D, W, z0) is a secure
system ifz0is a secure state and Wsatisfies the simple
security condition, the *-property, and the ds condition.
Bell, LaPadula 73
7/28/2019 463.2 Hybrid Policies
6/54
Biba Low-Water-Mark
Idea: when s reads o, i(s) = min(i(s), i(o)); scan only write objects at lower levels
Rules
1. s
S can write to o
O if and only ifi(o) i(s).2. If sS reads oO, then i(s) = min(i(s), i(o)),
where i(s) is the subjects integrity level after the
read.
3. s1
S can execute s2
S if and only ifi(s2) i(s1). Low-water-mark property
Biba 77
7/28/2019 463.2 Hybrid Policies
7/54
Lipner Requirements
1. Users will not write their own programs, but will use existingproduction programs and databases.
2. Programmers will develop and test programs on a non-production
system; if they need access to actual data, they will be given
production data via a special process, but will use it on their
development system.3. A special process must be followed to install a program from the
development system onto the production system.
4. The special process in requirement 3 must be controlled and
audited.
5. The managers and auditors must have access to both the systemstate and the system logs that are generated.
Lipner 82
7/28/2019 463.2 Hybrid Policies
8/54
Clark-Wilson Integrity Model
Integrity defined by a set of constraints Data in a consistentor valid state when it satisfies
these
Example: Bank
D todays deposits, Wwithdrawals, YB yesterdaysbalance, TB todays balance
Integrity constraint: D + YB W
Well-formed transaction move system from one
consistent state to another Issue: who examines, certifies transactions done
correctly?
Clark, Wilson 87
7/28/2019 463.2 Hybrid Policies
9/54
Entities
CDIs: constrained data items Data subject to integrity controls
UDIs: unconstrained data items Data not subject to integrity controls
IVPs: integrity verification procedures Procedures that test the CDIs conform to the integrity
constraints
TPs: transaction procedures Procedures that take the system from one valid state
to another
7/28/2019 463.2 Hybrid Policies
10/54
Certification Rules 1 and 2
CR1 When any IVP is run, it must ensure all CDIsare in a valid state
CR2 For some associated set of CDIs, a TP must
transform those CDIs in a valid state into a
(possibly different) valid state
Defines relation certifiedthat associates a set of
CDIs with a particular TP
Example: TP balance, CDIs accounts, in bankexample
7/28/2019 463.2 Hybrid Policies
11/54
Enforcement Rules 1 and 2
ER1 The system must maintain the certifiedrelations and must ensure that only TPscertified to run on a CDI manipulate that CDI.
ER2 The system must associate a user with each
TP and set of CDIs. The TP may accessthose CDIs on behalf of the associated user.The TP cannot access that CDI on behalf ofa user not associated with that TP and CDI.
System must maintain, enforce certified relation System must also restrict access based on user
ID (allowedrelation)
7/28/2019 463.2 Hybrid Policies
12/54
Users and Rules
CR3 The allowed relations must meet therequirements imposed by the principle ofseparation of duty.
ER3 The system must authenticate each user
attempting to execute a TP Type of authentication undefined, and depends
on the instantiation
Authentication notrequired before use of the
system, but is required before manipulation ofCDIs (requires using TPs)
7/28/2019 463.2 Hybrid Policies
13/54
Logging
CR4 All TPs must append enoughinformation to reconstruct the operation
to an append-only CDI.
This CDI is the logAuditor needs to be able to determine
what happened during reviews of
transactions
7/28/2019 463.2 Hybrid Policies
14/54
Handling Untrusted Input
CR5 Any TP that takes as input a UDI mayperform only valid transformations, or no
transformations, for all possible values of the
UDI. The transformation either rejects the
UDI or transforms it into a CDI.
In bank, numbers entered at keyboard are UDIs,
so cannot be input to TPs. TPs must validate
numbers (to make them a CDI) before using
them; if validation fails, TP rejects UDI
7/28/2019 463.2 Hybrid Policies
15/54
Separation of Duty In Model
ER4 Only the certifier of a TP may changethe list of entities associated with that
TP. No certifier of a TP, or of an entity
associated with that TP, may ever haveexecute permission with respect to that
entity.
Enforces separation of duty with respectto certified and allowed relations
7/28/2019 463.2 Hybrid Policies
16/54
Chinese Wall Model
Problem: Tony advises Citibank about investments
He is asked to advise Bank of America about
investments Conflict of interest to accept, because his
advice for either bank would affect his
advice to the other bank
Brewer, Nash 89
7/28/2019 463.2 Hybrid Policies
17/54
Organization
Organize entities into conflict of interestclasses
Control subject accesses to each class
Control writing to all classes to ensureinformation is not passed along in violationof rules
Allow sanitized data to be viewed byeveryone
7/28/2019 463.2 Hybrid Policies
18/54
Definitions
Objects: items of information related to acompany
Company dataset(CD): contains objects relatedto a single company
Written CD(o)
Conflict of interestclass (COI): contains datasetsof companies in competition Written COI(o)
Assume: each object belongs to exactly one COIclass
7/28/2019 463.2 Hybrid Policies
19/54
Example
Bank of America
Citibank Bank of the West
Bank COI Class
Shell Oil
Union 76
Standard Oil
ARCO
Gasoline Company COI Class
7/28/2019 463.2 Hybrid Policies
20/54
Temporal Element
If Anthony reads any CD in a COI, he canneverread another CD in that COI
Possible that information learned earlier may
allow him to make decisions later Let PR(S) be set of objects that S has already
read
7/28/2019 463.2 Hybrid Policies
21/54
CW-Simple Security Condition
s can read o iff either condition holds:1. There is an osuch that s has accessed oand
CD(o) = CD(o) Meaning s has read something in os dataset
2. For all o
O, o
PR(s)
COI(o) COI(o) Meaning s has not read any objects in os conflict of
interest class
Ignores sanitized data (see below)
Initially, PR(s) = , so initial read requestgranted
7/28/2019 463.2 Hybrid Policies
22/54
Sanitization
Public information may belong to a CD As is publicly available, no conflicts of interest
arise
So, should not affect ability of analysts to read
Typically, all sensitive data removed from suchinformation before it is released publicly (calledsanitization)
Add third condition to CW-Simple Security
Condition:3. o is a sanitized object
7/28/2019 463.2 Hybrid Policies
23/54
Writing
Anthony, Susan work in same tradinghouse
Anthony can read Bank 1s CD, Gas CD
Susan can read Bank 2s CD, Gas CD If Anthony could write to Gas CD, Susan
can read it Hence, indirectly, she can read information
from Bank 1s CD, a potential conflict ofinterest
7/28/2019 463.2 Hybrid Policies
24/54
CW-*-Property
s can write to o iff both of the followinghold:
1. The CW-simple security condition permitss to read o; and
2. For all unsanitizedobjects o, ifs can reado, then CD(o) = CD(o)
Says that s can write to an object if all the
(unsanitized) objects s can read are in thesame dataset
7/28/2019 463.2 Hybrid Policies
25/54
Compare to Bell-LaPadula
Temporal aspect is fundamental to model butthis is not an explicit part of Bell-LaPadula
Bell-LaPadula can capture state at any time Each (COI, CD) pair gets security category
Two clearances, S (sanitized) and U(unsanitized) S dom U
Subjects assigned clearance for compartmentswithout multiple categories corresponding to CDs in
same COI class
7/28/2019 463.2 Hybrid Policies
26/54
Compare to Clark-Wilson
Clark-Wilson Model covers integrity, soconsider only access control aspects
If subjects and processes areinterchangeable, a single person could usemultiple processes to violate CW-simplesecurity condition Would still comply with Clark-Wilson Model
If subject is a specific person and includesall processes the subject executes, thenconsistent with Clark-Wilson Model
7/28/2019 463.2 Hybrid Policies
27/54
Clinical Information Systems Security Policy
Intended for medical records Conflict of interest not critical problem
Patient confidentiality, authentication of records andannotators, and integrity are
Entities: Patient: subject of medical records (or agent)
Personal health information: data about patientshealth or treatment enabling identification of patient
Clinician: health-care professional with access topersonal health information while doing job
Anderson 96
7/28/2019 463.2 Hybrid Policies
28/54
Assumptions and Principles
Assumes health information involves 1person at a time
Not always true; OB/GYN involves father as
well as mother Principles derived from medical ethics of
various societies, and from practicing
clinicians
7/28/2019 463.2 Hybrid Policies
29/54
Access
Access Principle 1: Each medical recordhas an access control list naming theindividuals or groups who may read andappend information to the record. Thesystem must restrict access to thoseidentified on the access control list. Idea is that clinicians need access, but no-one
else. Auditors get access to copies, so theycannot alter records
7/28/2019 463.2 Hybrid Policies
30/54
Access
Access Principle 2: One of the clinicianson the access control list must have the
right to add other clinicians to the access
control list. Called the responsible clinician
7/28/2019 463.2 Hybrid Policies
31/54
Access
Access Principle 3: The responsibleclinician must notify the patient of thenames on the access control list wheneverthe patients medical record is opened.Except for situations given in statutes, orin cases of emergency, the responsibleclinician must obtain the patients consent.
Patient must consent to all treatment, andmust know of violations of security
7/28/2019 463.2 Hybrid Policies
32/54
Access
Access Principle 4: The name of the clinician,the date, and the time of the access of a medical
record must be recorded. Similar information
must be kept for deletions.
This is for auditing. Dont delete information; update it
(last part is for deletion of records after death, for
example, or deletion of information when required by
statute). Record information about all accesses.
7/28/2019 463.2 Hybrid Policies
33/54
Creation
Creation Principle: A clinician may open arecord, with the clinician and the patient on the
access control list. If a record is opened as a
result of a referral, the referring clinician may
also be on the access control list. Creating clinician needs access, and patient should
get it. If created from a referral, referring clinician
needs access to get results of referral.
7/28/2019 463.2 Hybrid Policies
34/54
Deletion
Deletion Principle: Clinical informationcannot be deleted from a medical record
until the appropriate time has passed.
This varies with circumstances.
7/28/2019 463.2 Hybrid Policies
35/54
Confinement
Confinement Principle: Information fromone medical record may be appended to a
different medical record if and only if the
access control list of the second record isa subset of the access control list of the
first.
This keeps information from leaking to
unauthorized users. All users have to be on
the access control list.
7/28/2019 463.2 Hybrid Policies
36/54
Aggregation
Aggregation Principle: Measures for preventingaggregation of patient data must be effective. Inparticular, a patient must be notified if anyone isto be added to the access control list for the
patients record and if that person has access toa large number of medical records. Fear here is that a corrupt investigator may obtain
access to a large number of records, correlate them,and discover private information about individuals
which can then be used for nefarious purposes (suchas blackmail)
7/28/2019 463.2 Hybrid Policies
37/54
Enforcement
Principle: Any computer system thathandles medical records must have asubsystem that enforces the precedingprinciples. The effectiveness of thisenforcement must be subject to evaluationby independent auditors. This policy has to be enforced, and the
enforcement mechanisms must be auditable(and audited)
7/28/2019 463.2 Hybrid Policies
38/54
Compare to Bell-LaPadula
Confinement Principle imposes latticestructure on entities in model
Similar to Bell-LaPadula
CISS focuses on objects being accessed;B-LP on the subjects accessing the
objects
May matter when looking for insiders in themedical environment
7/28/2019 463.2 Hybrid Policies
39/54
Compare to Clark-Wilson
CDIs are medical records TPs are functions updating records, access control lists
IVPs certify: A person identified as a clinician is a clinician;
A clinician validates, or has validated, information in themedical record;
When someone is to be notified of an event, such notificationoccurs; and
When someone must give consent, the operation cannotproceed until the consent is obtained
Auditing (CR4) requirement: make all records append-only, notify patient when access control list changed
7/28/2019 463.2 Hybrid Policies
40/54
ORCON
Problem: organization creating documentwants to control its dissemination
Example: Secretary of Agriculture writes a
memo for distribution to her immediatesubordinates, and she must give permission
for it to be disseminated further. This is
originator controlled (here, the originator is
a person).
Graubert 89
7/28/2019 463.2 Hybrid Policies
41/54
Requirements
Subject sS marks object oO as ORCON onbehalf of organizationX. ThenXallows o to be
disclosed to subjects acting on behalf of
organization Ywith the following restrictions:
1. Object o cannot be released to subjects acting on
behalf of other organizations withoutXs
permission; and
2. Any copies ofo must have the same restrictions
placed on it.
7/28/2019 463.2 Hybrid Policies
42/54
DAC Fails
Owner can set any desired permissions This makes 2 unenforceable
7/28/2019 463.2 Hybrid Policies
43/54
MAC Fails
First problem: category explosion Category Ccontains o,X, Y, and nothing else. If a
subject yYwants to read o,xXmakes a copy owith category C. Ifywants to give zZa copy, zmust be in Yby definition, it is not. Ifxwants to let
wWsee the document, need a new category Ccontaining o,X, W.
Second problem: abstraction MAC classification, categories centrally controlled,
and access controlled by a centralized policy ORCON controlled locally
7/28/2019 463.2 Hybrid Policies
44/54
Combine Them
The owner of an object cannot change theaccess controls of the object.
When an object is copied, the access controlrestrictions of that source are copied and bound
to the target of the copy. These are MAC (owner cant control them)
The creator (originator) can alter the accesscontrol restrictions on a per-subject and per-
object basis. This is DAC (owner can control it)
R l B d A C l
7/28/2019 463.2 Hybrid Policies
45/54
Role-Based Access Control
Access depends on function, not identity Example:
Allison, bookkeeper for Math Dept, has access to
financial records.
She leaves.
Betty hired as the new bookkeeper, so she now
has access to those records
The role of bookkeeper dictates access, notthe identity of the individual.
Sandhu, Coyne, Feinstein, Youman 96
Ad t f RBAC
7/28/2019 463.2 Hybrid Policies
46/54
Advantages of RBAC
RBAC enables simplified management ofpermissions
Illustration
Two employees s, s with the same duties, which
require numerous permissions
Employee s finds she needs a new permission, if this
is added for s it should also be added for s
Change permission for role not the subject
Central management maintains a modest set of
carefully designed roles which are used for a
large number of subjects.
Ad t f RBAC
7/28/2019 463.2 Hybrid Policies
47/54
Advantages of RBAC Continued
RBAC can be used to manage risk Illustration (least privilege)
System administrator has role user when reading his
Adopts role sysadmin only when performing
administrative tasks
Constraints can be used in connection with roles
Illustration (separation of duties) Subject in advisor role cannot act in committee role
during qualifying exam
RBAC R f M d l
7/28/2019 463.2 Hybrid Policies
48/54
RBAC Reference Models
RBAC0 base model (vanilla roles)
RBAC1adds role hierarchies to RBAC
0
RBAC2adds constraints to RBAC
0
RBAC3merges RBAC
1and RBAC
2
RBAC0
RBAC1 RBAC2
RBAC3
RBAC
7/28/2019 463.2 Hybrid Policies
49/54
RBAC0
Users U, Roles R, Permissions P andSessions S
PA P R permissions for roles
UA U R users for roles user : S ! U users for sessions
roles : S ! 2R sets of roles for sessions
Permissions for s consist of the values
(p,r) 2 PA such that r2 role(s)
RBAC
7/28/2019 463.2 Hybrid Policies
50/54
RBAC1
U,R,P,S,PA,UA,user as in RBAC_0 is a partial order on R called the role
hierarchy
roles : S ! 2R
is a function such that, forevery s 2 S, roles(s) {r | 9 r r. (user(s),r) 2 UA}
Permissions for s consist of p such that 9 r
2 role(s). 9 r r. (p, r) 2 PA
RBAC
7/28/2019 463.2 Hybrid Policies
51/54
RBAC2
RBAC2 is unchanged from RBAC0 exceptfor requiring that there be constraints to
determine the acceptability of various
components of RBAC0. Only acceptablevalues will be permitted.
M j T f C t i t
7/28/2019 463.2 Hybrid Policies
52/54
Major Types of Constraints
Mutually exclusive roles Cardinality
Prerequisite roles
RBAC
7/28/2019 463.2 Hybrid Policies
53/54
RBAC3
Combine RBAC1 and RBAC2
Issues in the combination
Constraints on role hierarchies
Interactions
Strategy for role management: separate
administrative roles with potentially
simpler hierarchy and constraints
K P i t
7/28/2019 463.2 Hybrid Policies
54/54
Key Points
Hybrid policies deal with bothconfidentiality and integrity
Different combinations of these
ORCON model neither MAC nor DACActually, a combination
RBAC model controls access based on
functionality