463.2 Hybrid Policies

7/28/2019 463.2 Hybrid Policies

1/54

Computer Security463.1 Hybrid Polices

Fall 2005

Based on slides provided by Matt Bishop for use with

Computer Security: Art and Science


2/54

Overview

Pure security policies Chinese wall

Security policy for medical records

Originator control policy (ORCON) Role based access control


3/54

Required

Reading:All of Chapter 7

Chapters 4,5,6 as needed

Exercises: All of the exercises in Section7.8


4/54

Security Policy Dimensions

Discretionary Access Control (DAC)

Mandatory Access Control (MAC)

Confidentiality

Example: Bell-LaPadula

Integrity

Example: Biba


5/54

Bell-LaPadula

Military classifications (objects) and clearances(subjects) Level

Compartment

Dominate: high enough level and all compartments

Basic properties Simple security condition: no reads up

*-property: no writes down

Discretionary security (ds) condition: discretionary controls arerespected

Basic Security Theorem: (R, D, W, z0) is a secure

system ifz0is a secure state and Wsatisfies the simple

security condition, the *-property, and the ds condition.

Bell, LaPadula 73


6/54

Biba Low-Water-Mark

Idea: when s reads o, i(s) = min(i(s), i(o)); scan only write objects at lower levels

Rules

1. s

S can write to o

O if and only ifi(o) i(s).2. If sS reads oO, then i(s) = min(i(s), i(o)),

where i(s) is the subjects integrity level after the

read.

3. s1

S can execute s2

S if and only ifi(s2) i(s1). Low-water-mark property

Biba 77


7/54

Lipner Requirements

1. Users will not write their own programs, but will use existingproduction programs and databases.

2. Programmers will develop and test programs on a non-production

system; if they need access to actual data, they will be given

production data via a special process, but will use it on their

development system.3. A special process must be followed to install a program from the

development system onto the production system.

4. The special process in requirement 3 must be controlled and

audited.

5. The managers and auditors must have access to both the systemstate and the system logs that are generated.

Lipner 82


8/54

Clark-Wilson Integrity Model

Integrity defined by a set of constraints Data in a consistentor valid state when it satisfies

these

Example: Bank

D todays deposits, Wwithdrawals, YB yesterdaysbalance, TB todays balance

Integrity constraint: D + YB W

Well-formed transaction move system from one

consistent state to another Issue: who examines, certifies transactions done

correctly?

Clark, Wilson 87


9/54

Entities

CDIs: constrained data items Data subject to integrity controls

UDIs: unconstrained data items Data not subject to integrity controls

IVPs: integrity verification procedures Procedures that test the CDIs conform to the integrity

constraints

TPs: transaction procedures Procedures that take the system from one valid state

to another


10/54

Certification Rules 1 and 2

CR1 When any IVP is run, it must ensure all CDIsare in a valid state

CR2 For some associated set of CDIs, a TP must

transform those CDIs in a valid state into a

(possibly different) valid state

Defines relation certifiedthat associates a set of

CDIs with a particular TP

Example: TP balance, CDIs accounts, in bankexample


11/54

Enforcement Rules 1 and 2

ER1 The system must maintain the certifiedrelations and must ensure that only TPscertified to run on a CDI manipulate that CDI.

ER2 The system must associate a user with each

TP and set of CDIs. The TP may accessthose CDIs on behalf of the associated user.The TP cannot access that CDI on behalf ofa user not associated with that TP and CDI.

System must maintain, enforce certified relation System must also restrict access based on user

ID (allowedrelation)


12/54

Users and Rules

CR3 The allowed relations must meet therequirements imposed by the principle ofseparation of duty.

ER3 The system must authenticate each user

attempting to execute a TP Type of authentication undefined, and depends

on the instantiation

Authentication notrequired before use of the

system, but is required before manipulation ofCDIs (requires using TPs)


13/54

Logging

CR4 All TPs must append enoughinformation to reconstruct the operation

to an append-only CDI.

This CDI is the logAuditor needs to be able to determine

what happened during reviews of

transactions


14/54

Handling Untrusted Input

CR5 Any TP that takes as input a UDI mayperform only valid transformations, or no

transformations, for all possible values of the

UDI. The transformation either rejects the

UDI or transforms it into a CDI.

In bank, numbers entered at keyboard are UDIs,

so cannot be input to TPs. TPs must validate

numbers (to make them a CDI) before using

them; if validation fails, TP rejects UDI


15/54

Separation of Duty In Model

ER4 Only the certifier of a TP may changethe list of entities associated with that

TP. No certifier of a TP, or of an entity

associated with that TP, may ever haveexecute permission with respect to that

entity.

Enforces separation of duty with respectto certified and allowed relations


16/54

Chinese Wall Model

Problem: Tony advises Citibank about investments

He is asked to advise Bank of America about

investments Conflict of interest to accept, because his

advice for either bank would affect his

advice to the other bank

Brewer, Nash 89


17/54

Organization

Organize entities into conflict of interestclasses

Control subject accesses to each class

Control writing to all classes to ensureinformation is not passed along in violationof rules

Allow sanitized data to be viewed byeveryone


18/54

Definitions

Objects: items of information related to acompany

Company dataset(CD): contains objects relatedto a single company

Written CD(o)

Conflict of interestclass (COI): contains datasetsof companies in competition Written COI(o)

Assume: each object belongs to exactly one COIclass


19/54

Example

Bank of America

Citibank Bank of the West

Bank COI Class

Shell Oil

Union 76

Standard Oil

ARCO

Gasoline Company COI Class


20/54

Temporal Element

If Anthony reads any CD in a COI, he canneverread another CD in that COI

Possible that information learned earlier may

allow him to make decisions later Let PR(S) be set of objects that S has already

read


21/54

CW-Simple Security Condition

s can read o iff either condition holds:1. There is an osuch that s has accessed oand

CD(o) = CD(o) Meaning s has read something in os dataset

2. For all o

O, o

PR(s)

COI(o) COI(o) Meaning s has not read any objects in os conflict of

interest class

Ignores sanitized data (see below)

Initially, PR(s) = , so initial read requestgranted


22/54

Sanitization

Public information may belong to a CD As is publicly available, no conflicts of interest

arise

So, should not affect ability of analysts to read

Typically, all sensitive data removed from suchinformation before it is released publicly (calledsanitization)

Add third condition to CW-Simple Security

Condition:3. o is a sanitized object


23/54

Writing

Anthony, Susan work in same tradinghouse

Anthony can read Bank 1s CD, Gas CD

Susan can read Bank 2s CD, Gas CD If Anthony could write to Gas CD, Susan

can read it Hence, indirectly, she can read information

from Bank 1s CD, a potential conflict ofinterest


24/54

CW-*-Property

s can write to o iff both of the followinghold:

1. The CW-simple security condition permitss to read o; and

2. For all unsanitizedobjects o, ifs can reado, then CD(o) = CD(o)

Says that s can write to an object if all the

(unsanitized) objects s can read are in thesame dataset


25/54

Compare to Bell-LaPadula

Temporal aspect is fundamental to model butthis is not an explicit part of Bell-LaPadula

Bell-LaPadula can capture state at any time Each (COI, CD) pair gets security category

Two clearances, S (sanitized) and U(unsanitized) S dom U

Subjects assigned clearance for compartmentswithout multiple categories corresponding to CDs in

same COI class


26/54

Compare to Clark-Wilson

Clark-Wilson Model covers integrity, soconsider only access control aspects

If subjects and processes areinterchangeable, a single person could usemultiple processes to violate CW-simplesecurity condition Would still comply with Clark-Wilson Model

If subject is a specific person and includesall processes the subject executes, thenconsistent with Clark-Wilson Model


27/54

Clinical Information Systems Security Policy

Intended for medical records Conflict of interest not critical problem

Patient confidentiality, authentication of records andannotators, and integrity are

Entities: Patient: subject of medical records (or agent)

Personal health information: data about patientshealth or treatment enabling identification of patient

Clinician: health-care professional with access topersonal health information while doing job

Anderson 96


28/54

Assumptions and Principles

Assumes health information involves 1person at a time

Not always true; OB/GYN involves father as

well as mother Principles derived from medical ethics of

various societies, and from practicing

clinicians


29/54

Access

Access Principle 1: Each medical recordhas an access control list naming theindividuals or groups who may read andappend information to the record. Thesystem must restrict access to thoseidentified on the access control list. Idea is that clinicians need access, but no-one

else. Auditors get access to copies, so theycannot alter records


30/54

Access

Access Principle 2: One of the clinicianson the access control list must have the

right to add other clinicians to the access

control list. Called the responsible clinician


31/54

Access

Access Principle 3: The responsibleclinician must notify the patient of thenames on the access control list wheneverthe patients medical record is opened.Except for situations given in statutes, orin cases of emergency, the responsibleclinician must obtain the patients consent.

Patient must consent to all treatment, andmust know of violations of security


32/54

Access

Access Principle 4: The name of the clinician,the date, and the time of the access of a medical

record must be recorded. Similar information

must be kept for deletions.

This is for auditing. Dont delete information; update it

(last part is for deletion of records after death, for

example, or deletion of information when required by

statute). Record information about all accesses.


33/54

Creation

Creation Principle: A clinician may open arecord, with the clinician and the patient on the

access control list. If a record is opened as a

result of a referral, the referring clinician may

also be on the access control list. Creating clinician needs access, and patient should

get it. If created from a referral, referring clinician

needs access to get results of referral.


34/54

Deletion

Deletion Principle: Clinical informationcannot be deleted from a medical record

until the appropriate time has passed.

This varies with circumstances.


35/54

Confinement

Confinement Principle: Information fromone medical record may be appended to a

different medical record if and only if the

access control list of the second record isa subset of the access control list of the

first.

This keeps information from leaking to

unauthorized users. All users have to be on

the access control list.


36/54

Aggregation

Aggregation Principle: Measures for preventingaggregation of patient data must be effective. Inparticular, a patient must be notified if anyone isto be added to the access control list for the

patients record and if that person has access toa large number of medical records. Fear here is that a corrupt investigator may obtain

access to a large number of records, correlate them,and discover private information about individuals

which can then be used for nefarious purposes (suchas blackmail)


37/54

Enforcement

Principle: Any computer system thathandles medical records must have asubsystem that enforces the precedingprinciples. The effectiveness of thisenforcement must be subject to evaluationby independent auditors. This policy has to be enforced, and the

enforcement mechanisms must be auditable(and audited)


38/54

Compare to Bell-LaPadula

Confinement Principle imposes latticestructure on entities in model

Similar to Bell-LaPadula

CISS focuses on objects being accessed;B-LP on the subjects accessing the

objects

May matter when looking for insiders in themedical environment


39/54

Compare to Clark-Wilson

CDIs are medical records TPs are functions updating records, access control lists

IVPs certify: A person identified as a clinician is a clinician;

A clinician validates, or has validated, information in themedical record;

When someone is to be notified of an event, such notificationoccurs; and

When someone must give consent, the operation cannotproceed until the consent is obtained

Auditing (CR4) requirement: make all records append-only, notify patient when access control list changed


40/54

ORCON

Problem: organization creating documentwants to control its dissemination

Example: Secretary of Agriculture writes a

memo for distribution to her immediatesubordinates, and she must give permission

for it to be disseminated further. This is

originator controlled (here, the originator is

a person).

Graubert 89


41/54

Requirements

Subject sS marks object oO as ORCON onbehalf of organizationX. ThenXallows o to be

disclosed to subjects acting on behalf of

organization Ywith the following restrictions:

1. Object o cannot be released to subjects acting on

behalf of other organizations withoutXs

permission; and

2. Any copies ofo must have the same restrictions

placed on it.


42/54

DAC Fails

Owner can set any desired permissions This makes 2 unenforceable


43/54

MAC Fails

First problem: category explosion Category Ccontains o,X, Y, and nothing else. If a

subject yYwants to read o,xXmakes a copy owith category C. Ifywants to give zZa copy, zmust be in Yby definition, it is not. Ifxwants to let

wWsee the document, need a new category Ccontaining o,X, W.

Second problem: abstraction MAC classification, categories centrally controlled,

and access controlled by a centralized policy ORCON controlled locally


44/54

Combine Them

The owner of an object cannot change theaccess controls of the object.

When an object is copied, the access controlrestrictions of that source are copied and bound

to the target of the copy. These are MAC (owner cant control them)

The creator (originator) can alter the accesscontrol restrictions on a per-subject and per-

object basis. This is DAC (owner can control it)

R l B d A C l


45/54

Role-Based Access Control

Access depends on function, not identity Example:

Allison, bookkeeper for Math Dept, has access to

financial records.

She leaves.

Betty hired as the new bookkeeper, so she now

has access to those records

The role of bookkeeper dictates access, notthe identity of the individual.

Sandhu, Coyne, Feinstein, Youman 96

Ad t f RBAC


46/54

Advantages of RBAC

RBAC enables simplified management ofpermissions

Illustration

Two employees s, s with the same duties, which

require numerous permissions

Employee s finds she needs a new permission, if this

is added for s it should also be added for s

Change permission for role not the subject

Central management maintains a modest set of

carefully designed roles which are used for a

large number of subjects.

Ad t f RBAC


47/54

Advantages of RBAC Continued

RBAC can be used to manage risk Illustration (least privilege)

System administrator has role user when reading his

mail

Adopts role sysadmin only when performing

administrative tasks

Constraints can be used in connection with roles

Illustration (separation of duties) Subject in advisor role cannot act in committee role

during qualifying exam

RBAC R f M d l


48/54

RBAC Reference Models

RBAC0 base model (vanilla roles)

RBAC1adds role hierarchies to RBAC

0

RBAC2adds constraints to RBAC

0

RBAC3merges RBAC

1and RBAC

2

RBAC0

RBAC1 RBAC2

RBAC3

RBAC


49/54

RBAC0

Users U, Roles R, Permissions P andSessions S

PA P R permissions for roles

UA U R users for roles user : S ! U users for sessions

roles : S ! 2R sets of roles for sessions

Permissions for s consist of the values

(p,r) 2 PA such that r2 role(s)

RBAC


50/54

RBAC1

U,R,P,S,PA,UA,user as in RBAC_0 is a partial order on R called the role

hierarchy

roles : S ! 2R

is a function such that, forevery s 2 S, roles(s) {r | 9 r r. (user(s),r) 2 UA}

Permissions for s consist of p such that 9 r

2 role(s). 9 r r. (p, r) 2 PA

RBAC


51/54

RBAC2

RBAC2 is unchanged from RBAC0 exceptfor requiring that there be constraints to

determine the acceptability of various

components of RBAC0. Only acceptablevalues will be permitted.

M j T f C t i t


52/54

Major Types of Constraints

Mutually exclusive roles Cardinality

Prerequisite roles

RBAC


53/54

RBAC3

Combine RBAC1 and RBAC2

Issues in the combination

Constraints on role hierarchies

Interactions

Strategy for role management: separate

administrative roles with potentially

simpler hierarchy and constraints

K P i t


54/54

Key Points

Hybrid policies deal with bothconfidentiality and integrity

Different combinations of these

ORCON model neither MAC nor DACActually, a combination

RBAC model controls access based on

functionality

Documents

463.2 Hybrid Policies