Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
1
Introduction to Computer Security
Slide 1Auburn UniversityComputer Science and Software Engineering
Chapter 4: Security Policies
• Overview• The nature of policies
–What they cover–Policy languages
• The nature of mechanisms–Types
• Underlying both–Trust
Introduction to Computer Security
Slide 2Auburn UniversityComputer Science and Software Engineering
Overview
• Overview• Policies• Trust• Nature of Security Mechanisms• Example Policy
2
Introduction to Computer Security
Slide 3Auburn UniversityComputer Science and Software Engineering
Security Policy
• Policy partitions system states into:– Authorized (secure)
• These are states the system can enter
– Unauthorized (nonsecure)• If the system enters any of these states, it’s a
security violation
• Secure system– Starts in authorized state– Never enters unauthorized state
Introduction to Computer Security
Slide 4Auburn UniversityComputer Science and Software Engineering
Example
• Four states and five transitions• In this example, the authorized states are s1
and s2. Is this system secure?
No. The system can enter an unauthorized state. How to improve it?
3
Introduction to Computer Security
Slide 5Auburn UniversityComputer Science and Software Engineering
Definitions
• Definition 4-1. A security policy is a statement that partition the states of the system into a set of authorized, or secure, states and a set of unauthorized, or nonsecure, states.
• Definition 4-2. A secure system is a system that starts in an authorized state and cannot enter an unauthorized state.
Introduction to Computer Security
Slide 6Auburn UniversityComputer Science and Software Engineering
Confidentiality
• X set of entities, I information• I has confidentiality property with respect
to X if no x ∈ X can obtain information from I
• I can be disclosed to others
•Example:–X set of students–I final exam answer key–I is confidential with respect to X if students cannot obtain final exam answer key
4
Introduction to Computer Security
Slide 7Auburn UniversityComputer Science and Software Engineering
Integrity
• X set of entities, I information• I has integrity property with respect to
X if all x ∈ X trust information in I• Types of integrity:
– trust I, its conveyance and protection (data integrity)
– I information about origin of something or an identity (origin integrity, authentication)
– I resource: means resource functions as it should (assurance)
Introduction to Computer Security
Slide 8Auburn UniversityComputer Science and Software Engineering
Availability
• X set of entities, I resource• I has availability property with respect
to X if all x ∈ X can access I• Types of availability:
– traditional: x gets access or not– quality of service: promised a level of
access (for example, a specific level of bandwidth) and not meet it, even though some access is achieved
5
Introduction to Computer Security
Slide 9Auburn UniversityComputer Science and Software Engineering
Examples
• A book-selling server takes up to 1 hour to service a request to purchase a book.
• A server of medical information takes up to 1 hour to service a request for information regarding an emergency.
Introduction to Computer Security
Slide 10Auburn UniversityComputer Science and Software Engineering
Policy Models
• Abstract description of a policy or class of policies
• Focus on points of interest in policies– Security levels in multilevel security models– Separation of duty in Clark-Wilson model– Conflict of interest in Chinese Wall model
6
Introduction to Computer Security
Slide 11Auburn UniversityComputer Science and Software Engineering
Types of Security Policies
• Military (governmental) security policy– Policy primarily protecting confidentiality
• Commercial security policy– Policy primarily protecting integrity
• Confidentiality policy– Policy protecting only confidentiality
• Integrity policy– Policy protecting only integrity
Introduction to Computer Security
Slide 12Auburn UniversityComputer Science and Software Engineering
Examples
• If the confidentiality of a bank’s computer is compromised, a customer’s account balance may be revealed. This would certainly embarrass the bank and possibly cause the customer to take her business elsewhere.
• If a site obtains a new version of a program, should that program have high integrity or low integrity, or should the level of trust be somewhere in between?
7
Introduction to Computer Security
Slide 13Auburn UniversityComputer Science and Software Engineering
Definitions
• Definition 4-9. A military security policy is a security policy developed primarily to provide confidentiality.
• Definition 4-10. A commercial security policy is a security policy developed primarily to provide integrity.
Introduction to Computer Security
Slide 14Auburn UniversityComputer Science and Software Engineering
Integrity and Transactions
• Begin in consistent state– “Consistent” defined by specification
• Perform series of actions (transaction)– Actions cannot be interrupted– If actions complete, system in consistent
state– If actions do not complete, system reverts
to beginning (consistent) state
8
Introduction to Computer Security
Slide 15Auburn UniversityComputer Science and Software Engineering
Trust
A system administrator receives a security patch for her computer’s operating system. She installs it. Has she improved the security of her system? What assumptions has she made?
Introduction to Computer Security
Slide 16Auburn UniversityComputer Science and Software Engineering
Trust (Cont.)
1. Trusts patch came from vendor, not tampered with in transit
2. Trusts vendor tested patch thoroughly3. Trusts vendor’s test environment
corresponds to local environment4. Trusts patch is installed correctly
9
Introduction to Computer Security
Slide 17Auburn UniversityComputer Science and Software Engineering
Trust in Formal Verification
• Gives formal mathematical proof that given input i, program P produces output o as specified
• Suppose a security-related program Sformally verified to work with operating system O
• What are the assumptions?
Introduction to Computer Security
Slide 18Auburn UniversityComputer Science and Software Engineering
Trust in Formal Methods
1. Proof has no errors• Bugs in automated theorem provers
2. Preconditions hold in environment in which Sis to be used
3. S transformed into executable S′ whose actions follow source code
– Compiler bugs, linker/loader/library problems
4. Hardware executes S′ as intended– Hardware bugs (Pentium f00f bug, for
example)
10
Introduction to Computer Security
Slide 19Auburn UniversityComputer Science and Software Engineering
Types of Access Control
• Discretionary Access Control (DAC, IBAC)– individual user sets access control
mechanism to allow or deny access to an object
• Mandatory Access Control (MAC)– system mechanism controls access to
object, and individual cannot alter that access
• Originator Controlled Access Control (ORCON)– originator (creator) of information controls
who can access information
Introduction to Computer Security
Slide 20Auburn UniversityComputer Science and Software Engineering
MAC Example
The law allows a court to access driving records without the owner’s permission. This is a mandatory control, because the owner of the record has no control over the court’s accessing the information.
11
Introduction to Computer Security
Slide 21Auburn UniversityComputer Science and Software Engineering
Question
• Policy disallows cheating– Includes copying homework, with or without
permission
• CS class has students do homework on computer
• Anne forgets to read-protect her homework file
• Bill copies it• Who cheated?
– Anne, Bill, or both?
Introduction to Computer Security
Slide 22Auburn UniversityComputer Science and Software Engineering
Answer Part 1
• Bill cheated– Policy forbids copying homework
assignment– Bill did it– System entered unauthorized state (Bill
having a copy of Anne’s assignment)• If not explicit in computer security policy,
certainly implicit– Not credible that a unit of the university
allows something that the university as a whole forbids, unless the unit explicitly says so
12
Introduction to Computer Security
Slide 23Auburn UniversityComputer Science and Software Engineering
Answer Part 2
• Anne didn’t protect her homework–Not required by security policy
• She didn’t breach security• If policy said students had to read-
protect homework files, then Anne did breach security–She didn’t do this
Introduction to Computer Security
Slide 24Auburn UniversityComputer Science and Software Engineering
Mechanisms
• Entity or procedure that enforces some part of the security policy–Access controls (to prevent someone
from reading a homework file)–Disallowing people from bringing CDs
and floppy disks into a computer facility to control what is placed on systems
13
Introduction to Computer Security
Slide 25Auburn UniversityComputer Science and Software Engineering
Example English Policy
• Computer security policy for academic institution– Institution has multiple campuses,
administered from central office– Each campus has its own administration,
and unique aspects and needs
• Authorized Use Policy• Electronic Mail Policy
Introduction to Computer Security
Slide 26Auburn UniversityComputer Science and Software Engineering
Authorized Use Policy
• Intended for one campus (UC Davis) only• Goals of campus computing
– Underlying intent
• Procedural enforcement mechanisms– Warnings– Denial of computer access– Disciplinary action up to and including expulsion
• Written informally, aimed at user community
14
Introduction to Computer Security
Slide 27Auburn UniversityComputer Science and Software Engineering
Electronic Mail Policy
• Systemwide, not just one campus• Three parts
–Summary–Full policy– Interpretation at the campus
Introduction to Computer Security
Slide 28Auburn UniversityComputer Science and Software Engineering
Summary
• Warns that electronic mail not private– Can be read during normal system
administration– Can be forged, altered, and forwarded
• Unusual because the policy alerts users to the threats– Usually, policies say how to prevent
problems, but do not define the threats
15
Introduction to Computer Security
Slide 29Auburn UniversityComputer Science and Software Engineering
Summary
• What users should and should not do– Think before you send– Be courteous, respectful of others– Don’t interfere with others’ use of email
• Personal use okay, provided overhead minimal• Who it applies to
– Problem is UC is quasi-governmental, so is bound by rules that private companies may not be
– Educational mission also affects application
Introduction to Computer Security
Slide 30Auburn UniversityComputer Science and Software Engineering
Full Policy
• Context– Does not apply to Dept. of Energy labs run by the
university– Does not apply to printed copies of email
• Other policies apply here
• E-mail, infrastructure are university property– Principles of academic freedom, freedom of speech
apply– Access without user’s permission requires approval
of vice chancellor of campus or vice president of UC– If infeasible, must get permission retroactively
16
Introduction to Computer Security
Slide 31Auburn UniversityComputer Science and Software Engineering
Uses of E-mail
• Anonymity allowed– Exception: if it violates laws or other
policies• Can’t interfere with others’ use of e-mail
– No spam, letter bombs, e-mailed worms, etc.
• Personal e-mail allowed within limits– Cannot interfere with university business– Such e-mail may be a “university record”
subject to disclosure
Introduction to Computer Security
Slide 32Auburn UniversityComputer Science and Software Engineering
Security of E-mail
• University can read e-mail–Won’t go out of its way to do so–Allowed for legitimate business
purposes–Allowed to keep e-mail robust,
reliable• Archiving and retention allowed
–May be able to recover e-mail from end system (backed up, for example)
17
Introduction to Computer Security
Slide 33Auburn UniversityComputer Science and Software Engineering
Implementation
• Adds campus-specific requirements and procedures– Example: “incidental personal use” not
allowed if it benefits a non-university organization
– Allows implementation to take into account differences between campuses, such as self-governance by Academic Senate
• Procedures for inspecting, monitoring, disclosing e-mail contents
• Backups
Introduction to Computer Security
Slide 34Auburn UniversityComputer Science and Software Engineering
Key Points
• Policies describe what is allowed• Mechanisms control how policies
are enforced• Trust underlies everything