Security Policy Models CSC 482/582: Computer Security

Topics 1. Types of Policy Models 2. Bell-LaPadula Model 1. Rules 2. Tranquility 3. Controversy: -property, System Z 3. Integrity Policies 1. Requirements 2. Bibas models 1. Low-Water-Mark policy 2. Ring policy 3. Strict Integrity policy 4. Mixed Policies 1. Chinese Wall Model

CSC 482/582: Computer Security Confidentiality Policy Goal: prevent the unauthorized disclosure of information. Deals with information flow. Integrity incidental. Multi-level security models are best-known examples. Bell-LaPadula Model basis for most of these.

CSC 482/582: Computer Security Bell-LaPadula Model, Step 1 Levels consist of security clearance L(s). Objects have security classification L(o). Unclassified Confidential Secret Top Secret

CSC 482/582: Computer Security Example security levelsubjectobject Top SecretTamaraPersonnel Files SecretSamuelE-Mail Files ConfidentialClaireActivity Logs UnclassifiedUlaleyTelephone Lists Tamara can read all files. Claire cannot read Personnel or E-Mail Files. Ulaley can only read Telephone Lists.

CSC 482/582: Computer Security Reading Information Information flows up, not down Reads up disallowed, reads down allowed. Simple Security Condition (Step 1) Subject s can read object o iff, L(o) L(s) and s has permission to read o. Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission.) Sometimes called no reads up rule.

CSC 482/582: Computer Security Writing Information Information flows up, not down Writes up allowed, writes down disallowed. *-Property (Step 1) Subject s can write object o iff L(s) L(o) and s has permission to write o. Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission.) Sometimes called no writes down rule.

CSC 482/582: Computer Security Basic Security Theorem, Step 1 If 1. system is initially in a secure state, and 2. every transition of the system satisfies the simple security condition, and 3. every transition satisfies the *-property then every state of the system is secure. Proof: induction on number of transitions.

CSC 482/582: Computer Security Bell-LaPadula Model, Step 2 Security level is (clearance, category set). Examples: ( Top Secret, { Nuc, Eur, Asi } ) ( Confidential, { Eur, Asi } ) ( Secret, { Nuc, Asi } )

CSC 482/582: Computer Security Relationship of Security Levels (A, C) dom (A, C) iff A A and C C. Examples: (Top Secret, {Nuc,Asi}) dom (Secret, {Nuc}) (Secret, {Nuc, Eur}) dom (Confidential,{Nuc,Eur}) (Top Secret, {Nuc}) dom (Confidential, {Eur}) Categories based on need to know principle.

CSC 482/582: Computer Security Levels and Ordering Security levels partially ordered. Any pair of security levels may (or may not) be related by dom. dominates serves the role of greater than in step 1. greater than is a total ordering, though.

CSC 482/582: Computer Security Reading Information Information flows up, not down Reads up disallowed, reads down allowed. Simple Security Condition (Step 2) Subject s can read object o iff L(s) dom L(o) and s has permission to read o. Sometimes called no reads up rule.

CSC 482/582: Computer Security Writing Information Information flows up, not down. Writes up allowed, writes down disallowed. *-Property (Step 2) Subject s can write object o iff L(o) dom L(s) and s has permission to write o. Sometimes called no writes down rule.

CSC 482/582: Computer Security Basic Security Theorem, Step 2 If 1. system is initially in a secure state, and 2. every transition of the system satisfies the simple security condition, and 3. every transition satisfies the *-property then every state of the system is secure. Proof: induction on number of transitions.

CSC 482/582: Computer Security Problem Colonel has (Secret, {Nuc, Eur}) clearance. Major has (Secret, {Eur}) clearance Major can talk to colonel (write up or read down) Colonel cannot talk to major (read up or write down) Clearly absurd!

CSC 482/582: Computer Security Solution Define maximum (L max ), current (L cur ) levels for subjects: L max (s) dom L cur (s) Example: Treat Major as an object (Colonel is writing to him/her) Colonel has L max (Secret, {Nuc, Eur}) Colonel sets L cur to (Secret, { Eur }) Now L(Major) dom L cur (Colonel) Colonel can write to Major without violating no writes down.

CSC 482/582: Computer Security Question In simple security condition and *-property, does L(s) mean current level or maximum level of s? Subject level treated as current level (L(s) = L cur (s) in the properties.) If subjects downgrade, trusted not to reveal information between L max (s) and L cur (s) to others who do not have clearance for that information. This includes writing it to objects at lower levels.

CSC 482/582: Computer Security Principle of Tranquility Cannot change security levels after instantiation. Raising objects security level Information once available to some subjects is no longer available. Usually assume information has already been accessed, so this does nothing. Lowering objects security level The declassification problem. Essentially, a write down violating *-property. Solution: define set of trusted subjects that sanitize or remove sensitive information before security level lowered.

CSC 482/582: Computer Security Types of Tranquility Strong Tranquility The clearances of subjects, and the classifications of objects, do not change during the lifetime of the system. Weak Tranquility The clearances of subjects, and the classifications of objects, do not change in a way that violates the simple security condition or the *-property during the lifetime of the system.

CSC 482/582: Computer Security Controversy value of the BST is much overrated since there is a great deal more to security than it captures. Further, what is captured by the BST is so trivial that it is hard to imagine a realistic security model for which it does not hold. McLean Basis: given assumptions known to be non-secure, BST can prove a non-secure system to be secure.

CSC 482/582: Computer Security -Property Subject s can write object o iff curlevel(s) dom L(o) and s has permission to write o. Idea: change model so that, for writing, subject dominates object; for reading, subject also dominates object. Differs from *-property in that the mandatory condition for writing is reversed. For *-property, object must dominate subject.

CSC 482/582: Computer Security Analogue Analogue to Basic Security Theorem is: A system is a secure system if its initial state is a secure state and all actions satisfy the conditions for the simple security condition, the -property, and the discretionary security property.

CSC 482/582: Computer Security Problem This system is clearly non-secure! Information flows from higher to lower because of the -property.

CSC 482/582: Computer Security Discussion Role of Basic Security Theorem is to demonstrate that rules preserve security. Key question: what is security? Bell-LaPadula defines it in terms of 3 properties (simple security condition, *-property, discretionary security property) Theorems are assertions about these properties. Rules describe changes to a particular system instantiating the model. Showing system is secure requires proving rules preserve these 3 properties.

CSC 482/582: Computer Security Rules and Model Nature of rules is irrelevant to model. Model treats security as axiomatic. Policy defines security This instantiates the model. Policy reflects the requirements of the systems. McLeans definition differs from Bell-LaPadula and is not suitable for a confidentiality policy. Analysts cannot prove security definition is appropriate through the model.

CSC 482/582: Computer Security Integrity Policy Requirements 1. Users will not write their own programs, but will use existing production programs and databases. 2. Programmers will develop and test programs on a nonproduction system; if they need access to actual data, they will be given production data via a special process, but will use it on their development system. 3. A special process must be followed to install a program from the development system onto the production system. 4. The special process in requirement 3 must be controlled and audited. 5. The managers and auditors must have access to both the system state and the system logs that are generated.

CSC 482/582: Computer Security Biba Integrity Model Basis for all 3 models: Set of subjects S Set of objects O Set of integrity levels I These can be linearly ordered or partially ordered (like Bell-LaPadula security levels.) i(s), i(o) gives integrity level of subject, object. Use rather than dom: So if i(s) i(o), the object integrity level dominates the subject integrity level.

CSC 482/582: Computer Security Intuition for Integrity Levels The higher the level, the more confidence: that a program will execute correctly. that data is accurate and/or reliable. Note relationship between integrity and trustworthiness. Important point: integrity levels are not security levels.

CSC 482/582: Computer Security Low-Water-Mark Policy Idea: when s reads o, i(s) = min(i(s),i(o)); s can only write objects at lower levels. Rules: 1. Subjects cannot write to higher trust objects: s S can write to o O if and only if i(o) i(s). 2. Subjects integrity lowered by using untrusted data: If s S reads o O, then i(s) = min(i(s), i(o)), where i(s) is the subjects integrity level after the read. 3. Subject can only run programs of lower trust levels s 1 S can execute s 2 S if and only if i(s 2 ) i(s 1 ).

CSC 482/582: Computer Security Problems Subjects integrity levels decrease as system runs Soon no subject will be able to access objects at high integrity levels. Alternative: change object levels rather than subject levels. Soon all objects will be at the lowest integrity level. Crux of problem is model prevents indirect modification. Because subject levels lowered when subject reads from low-integrity object.

CSC 482/582: Computer Security Ring Policy Idea: subject integrity levels static. Rules 1. Subjects can only write to lower integrity objects s S can write to o O if and only if i(o) i(s). 2. Any subject can read any object. 3. Subject can only run programs of lower trust levels s 1 S can execute s 2 S if and only if i(s 2 ) i(s 1 ). Eliminates indirect modification problem.

CSC 482/582: Computer Security Strict Integrity Policy Similar to Bell-LaPadula model 1. s S can read o O iff i(s) i(o) 2. s S can write to o O iff i(o) i(s) 3. s 1 S can execute s 2 S iff i(s 2 ) i(s 1 ) Note: if both read and write allowed, i(o) = i(s). Add compartments and discretionary controls to get full dual of Bell-LaPadula model. Term Biba Model refers to this.

CSC 482/582: Computer Security Mixed Models Chinese Wall Model Focuses on conflict of interest. CISS Policy Medical records require integrity and confidentiality. ORCON Combines mandatory, discretionary access controls. RBAC Base controls on job function; users may change roles.

CSC 482/582: Computer Security Chinese Wall Model Problem: Tony advises American Bank about investments. He is asked to advise Toyland Bank about investments. Conflict of interest to accept, because his advice for either bank would affect his advice to the other bank.

CSC 482/582: Computer Security Organization Organize entities into conflict of interest classes. Control subject accesses to each class. Control writing to all classes to ensure information is not passed along in violation of rules. Allow sanitized data to be viewed by everyone.

CSC 482/582: Computer Security Definitions Objects: items of information related to a company. Company dataset (CD): contains objects related to a single company. Written CD(O) Conflict of interest class (COI): contains datasets of companies in competition. Written COI(O). Assume: each object belongs to exactly one COI class.

CSC 482/582: Computer Security Chinese Wall Example Bank ofAmerica CitibankBank of theWest Bank COI Class Shell Oil Union 76 Standard Oil ARCO Gasoline Company COI Class

CSC 482/582: Computer Security Temporal Element If Anthony reads any CD in a COI, he can never read another CD in that COI. Possible that information learned earlier may allow him to make decisions later. Let PR(S) be set of objects that S has already read.

CSC 482/582: Computer Security CW-Simple Security Condition s can read o iff either condition holds: 1. There is an o such that s has accessed o and CD(o) = CD(o) Meaning s has read something in os dataset. 2. For all o O, o PR(s) COI(o) COI(o) Meaning s has not read any objects in os conflict of interest class. Ignores sanitized data (see below.) Initially, PR(s) = , initial read request granted.

CSC 482/582: Computer Security Sanitization Public information may belong to a CD As is publicly available, no conflicts of interest arise. So, should not affect ability of analysts to read. Typically, all sensitive data removed from such information before it is released publicly (called sanitization.) Add third condition to CW-Simple Security 3.o is a sanitized object.

CSC 482/582: Computer Security Writing Anthony, Susan work in same trading house. Anthony can read Bank 1s CD, Gas CD. Susan can read Bank 2s CD, Gas CD. If Anthony could write to Gas CD, Susan can read it. Hence, indirectly, she can read information from Bank 1s CD, a clear conflict of interest.

CSC 482/582: Computer Security CW-*-Property s can write to o iff both of the following hold: 1. The CW-simple security condition permits s to read o; and 2. For all unsanitized objects o, if s can read o, then CD(o) = CD(o). Says that s can write to an object if all the (unsanitized) objects it can read are in the same dataset.

CSC 482/582: Computer Security Information Flows Key question: under what condition can information flow from o O to o O? Answer: when either: CD(o) = CD(o); or o is sanitized.

CSC 482/582: Computer Security Compare to Bell-LaPadula Fundamentally different CW has no security labels, B-LP does. CW has notion of past accesses, B-LP does not. Bell-LaPadula can capture state at any time: Each (COI, CD) pair gets security category. Two clearances, S (sanitized) and U (unsanitized) S dom U Subjects assigned clearance for compartments without multiple categories corresponding to CDs in same COI class.

CSC 482/582: Computer Security Compare to Bell-LaPadula Bell-LaPadula cannot track changes over time. Susan becomes ill, Anna needs to take over C-W history lets Anna know if she can. No way for Bell-LaPadula to capture this. Access constraints change over time Initially, subjects in C-W can read any object. Bell-LaPadula constrains set of objects that a subject can access. Cant clear all subjects for all categories, because this violates CW-simple security condition.

CSC 482/582: Computer Security Key Points Confidentiality models restrict flow of information. Bell-LaPadula models multilevel security. Cornerstone of much work in computer security. Controversy over meaning of security. Different definitions produce different results. Biba Model basis for integrity models. Chinese Wall models time constraints on security.

CSC 482/582: Computer Security References 1. Anderson, Ross, Security Engineering, Wiley, 2001. 2. David E. Bell and Leonard J. LaPadula, Secure Computer System: Unified Exposition and MULTICS Interpretation, MTR-2997 Rev. 1, The MITRE Corporation, Bedford, MA 01730 (Mar. 1976) http://csrc.nist.gov/publications/history/bell76.pdf 3. Bishop, Matt, Introduction to Computer Security, Addison- Wesley, 2005. 4. Department of Defense, Trusted Computer System Evaluation Criteria, DoD 5200.28-STD (Orange Book), National Computer Security Center, Ft. Meade, MD 20755 (Dec. 1985) http://csrc.nist.gov/publications/history/dod85.pdf http://csrc.nist.gov/publications/history/dod85.pdf 5. Peter Loscocco and Stephen Smalley, Integrating Flexible Support for Security Policies into the Linux Operating System, Proceedings of the FREENIX Track of the 2001 USENIX Annual Technical Conference, 2001.Integrating Flexible Support for Security Policies into the Linux Operating System

Documents

Security Policy Models CSC 482/582: Computer Security