Upload
sharleen-taylor
View
218
Download
1
Embed Size (px)
Citation preview
Chapter 5 – Designing Trusted Operating Systems
In this sectionWhat is a trusted system?Security Policy
MilitaryCommercialClark-WilsonSeparation of Duty Chinese Wall
ModelsLattice ModelBell-La PadulaBibaGraham-DenningTake-Grant
Designing Trusted OSPrimary security in computing systemsPrimary Security
MemoryFileObjects/Access ControlUser Authentication
Trusted – We are confident that services are provided consistently and effectively
Making of a trusted OSPolicy – requirements statement of what is
should doModel – model of the environment to be
secured; represents the policy to be enforcedDesign – the means of implementation;
functionality and construction Trust – assurance of meeting expectation
through the features offered
What is a trusted system?What makes something secure?
For how long?Trusted Software – rigorously developed and
analyzedKey Characteristics of Trusted Software:
Functional CorrectnessEnforcement of Integrity Limited PrivilegeAppropriate Confidence Level
We speak in terms of trusted and not secure
Many types of Trust:Trusted ProcessTrusted ProductTrusted SoftwareTrusted Computing BaseTrusted System
Through:Enforcement of Security PolicySufficiency of Measures and MechanismEvaluation
Security PolicySecurity Policy – statement of the security we
expect the system to enforceA trusted system can be trusted only in
relation to its security policy…. To the security needs the system expected to satisfy
Military Security PolicyBasis of many OS security policiesBased on protecting classified informationTop Secret (most sensitive), Secret,
Confidential, Restricted, Unclassified (least sensitive)
Limited by the Need-to-Know rule: Access is allowed only to subjects who need to know data to perform job.
Compartments- classification information may be associated with one or more projects describing the subject matter of the information
Classification - <rank; compartments>This enforces need-to-know both by security level
and by topicClearance – person is trusted to access
information up to a given level of sensitivity with need-to-know
Dominance, on a set of Objects (0) and Subjects (s)s ≤ o if and only if
rank(s) ≤ rank (0) and compartments (s) ⊆ compartments(0)
We say 0 dominates s (or s is dominated by o)Dominance is used to limit the sensitivity and
content of information a subject can accessAs subject can read an object only if:
clearance level of the subject is at least as high as the information
Subject has a need-to-know about all compartments for which the information is classified
Commercial Security PoliciesWorried about espionageDegrees of sensitivity:
PublicProprietary Internal
No dominance function for most commercial policies since no formal clearance is needed
Integrity and availability are just, not if more, important than confidentiality
Clark-Wilson Commercial Security PolicyThis is based on IntegrityPolicy on well-formed transactionsSequence of activities Performing steps in order, performing exactly
the steps listed, and authentication of individuals in the steps (well-formed transactions)
Goal: maintain consistency between internal data and external (users’) expectation of data
Constrained data items which are processed by transformation procedures
Separation of Duty The required division of responsibilities is
called separation of dutyAccomplished manually by means of dual
signatures
Chinese Wall Security PolicyUsed in legal, medical, investment and
accounting firmsAddresses the conflict of interestSecurity Policy Builds on:
Objects – low levelCompany Groups – mid levelConflict Classes – high level, groups of objects
of competing companies are clusterd
Models of SecuritySecurity Models are used to:
Test a particular policy for completeness and consistency
Document policyHelp conceptualize and design an
implementationCheck whether an implementation meets its
requirementsPolicy is established outside any modelModel is only a mechanism that enforces the
policy
Multilevel Security Build a model to represent a range of
sensitivities and to reflect the need to separate subjects rigorously from objects to which they should not have access
The generalized model is called the Lattice Model of Security
Bell-La Padula Confidentiality ModelFormal description of allowable paths of flow in a
secure systemFormalization of the military security policyTwo properties:
Simple Security Property – A subject s may have read access to object o only if C(o) ≤ C(s)
*-Property – A subject s who has read access to an object o may have write access to an object p only if C(o) ≤ C(p)
C(s) – clearance; c(0) classificationWrite-down – high level subjects transfers high
level data to a low level object (prevented by star property)
Figure 5-7 Secure Flow of Information.
Biba Integrity ModelBell-La Padula model applies only to secrecy Biba is about Integrity and defines integrity
levelsProperties:
Simple Integrity Property – Subject s can modify (have write access to) object o only if I(s) ≥ I(o)
*-Property – if subject s has read access to object o with integrity level I(0), s can have write access to object p only if I(o) ≥ I(p) [write-down]
Totally ignores secrecy
Graham-Denning ModelFormal System of Protection RulesAccess Control Mechanism (matrix) of a
protection systemEight Privative Protection Rights
Create object, Create subject, Delete object and Delete subject
Read AccessGrant AccessDelete Access RightTransfer Access Right
Matrix: A[s,o]
Take-Grant SystemsFour primitives: create, revoke, take and
grant