Upload
heriberto-banks
View
215
Download
0
Embed Size (px)
Citation preview
Special systems: MLS
Multilevel security [“Red book” US-DOD 1987] Considers the assurance risk when
composing multilevel secure systems evaluated under security evaluation criteria. Analyzing the security of interoperating and
individually secure systems can be done in polynomial time.
Given a non-secure network configuration, then re-configuring the connections in an optimal way (to minimize the impact on interoperability) is NP.
Multilevel Security (MLS)[Bell LaPadula Model]
Security levels L define classification of subjects (processes) and objects. eg, Unclassified, Secret, Top-Secret.
Policy: lattice of security levels (L,<=) x<=y: level x information may flow to
level y. Unclassified < Secret < Top-Secret
Evaluation Criteria[“Orange” & “Red” Books]
MLS systems assured to different levels of assurance based on evaluation criteria.
(worst) D<C1<C2<C3<B1<B2<B3<A1 (best). Evaluated systems must meet minimum risk
requirements.
Systems storing high-risk combinations of data need high levels of assurance.
System Stores Minimum Assurance
topsecret+unclassified
B3
topsecret+secret B2
secret+unclassified B1
Configuring MLS NetworksChannel Cascade Attacks
S
TS
U
SU
S
TSB2
B1
B3
Each evaluated system meets criteria.However, network has cascading risk: Attacker breaks system A, copies TS data to S, copies this data from System A to B to C, breaks system C, copies S(TS) data to U. B3 assurance required when protecting TS and
U, but cascade attack breaks B2 and lower systems.
AB C
Modeling MLS networksStrategy
effort((s,l),(s’,l’)) The minimum effort required to compromise the
network and copy/downgrade level l information held on system s to level l’ on system s’
Cascade problem if exists s,s’ and l, l’: effort((s,l),(s’,l’)) < system-assurance
S
TS
U
SU
S
TSB2
B1
B3
AB C
B3B3 B1B3
B2
Modeling MLS networksStrategy (using Constraints)
Systems as flow-constraints between the levels of data that they store.
S
TS
U
SU
S
TSB2
B1
B3
AB C
B3 B1
B3B2
Modeling MLS networksStrategy (using Constraints)
Systems as flow-constraints between the levels of data that they store.Networks as flow-constraints that represent the channels that connect systems
S
TS
U
SU
S
TSB2
B1
B3
AB C
Modeling MLS networksStrategy (using Constraints)
Systems as flow-constraints between the levels of data that they store.Networks as flow-constraints that represent the channels that connect systemsSoft constraint semi-ring as assurance levels
S
TS
U
SU
S
TSB2
B1
B3
AB C
3 1
32
0 0
Modeling MLS networksStrategy (using Constraints)
Systems as flow-constraints between the levels of data that they store.Networks as flow-constraints that represent the channels that connect systemsSoft constraint semi-ring as assurance levelsCascade Detection: finding cascades.
S
TS
U
SU
S
TSB2
B1
B3
AB C
3
2
03
Modeling MLS networksStrategy (using Constraints)
Systems as flow-constraints between the levels of data that they store.Networks as flow-constraints that represent the channels that connect systemsSoft constraint semi-ring as assurance levelsCascade Detection: finding cascades.
S
TS
U
SU
S
TSB2
B1
B3
AB C
1
2
0 03
Ex1: Cascade Free Path
U
S
TSB
S
TSA
U
SC
SD
TsA
TdA
TsB
SdB
SsC *1
s
UdC *1
d
S
TS
U
SU
S
TSB2
B1
B3
A C
TsA
TdA
TsB
SdB
SsC *1
s
UdC *1
d
Ex1: Cascade Free Path
U
S
TSB
S
TSA
U
SC
SD 0 13 00 0 0
E = max( {0,0,3,0,1,0,0} ) = 3
R(TsA,Sd
B)
R(TsA,Ud
C)
R(TSA, *1
d)
3
0
2
R = max( {2,3,0} ) = 3
Ex2: Cascading Path
U
S
TSB
S
TSA
U
SC
SD 2 10 00 0 0
TsA Ss
D SsC *1
s
SdA Sd
D UdC *1
d
E = max( {2,0,0,0,1,0,0} ) = 2
R(TsA,Sd
D)
R(TsA,Ud
C)
R(TsA ,*1
d )
2
0
3
R = max( {2,3,0} ) = 3
Conclusion
Secure interoperation is difficult!Remember: when you compose two secure systems you could obtain a not secure system!In real life: Add comunications only when really
needed!
Crisp toward soft constraints
P={
x3
x4
x1
x2 V,
{red,blue,yellow}
{blue,yellow}
{red,blue}{yellow}
D,
C={pairwise-different}
C, PC, con, def, a}
x1 x2 x3 x4
combination
projection
Crisp toward soft constraints
x3
x4
x1
x2
{red,blue,yellow}
{blue,yellow}
{red,blue}{yellow}
C={pairwise-different} 5$
3$
2$
15$15$x1 x2 x3 x4
Combination (+)
Projection (min)
15$
13$
13$
<+,min,+,+,0>
<[0,1],max,min,0,1>
<[0,1],max,,0,1>
<{false,true},,,false,true>
Probabilistic
Fuzzy
Classical
Weighted
C-semiring <A,+,,0,1>:
The Semiring Framework
A c-semiring is a tuple <A,+,×,0,1> such that: A is the set of all consistency values and 0, 1A.
0 is the lowest consistency value and 1 is the highest consistency value;
+, the additive operator, is a closed, commutative, associative and idempotent operation such that 1 is its absorbing element and 0 is its unit element;
×, the multiplicative operator, is a closed and associative operation such that 0 is its absorbing element, 1 is its unit element and × distributes over +.
Stefano Bistarelli, Ugo Montanari, and Francesca Rossi, Semiring-based Constraint Solving and OptimizationJournal of the ACM, 44(2):201–236, Mar 1997.
Stefano Bistarelli, Ugo Montanari, and Francesca Rossi, Semiring-based Constraint Solving and OptimizationJournal of the ACM, 44(2):201–236, Mar 1997.
Semiring-based Constraints
Given a semiring <A,+,×, 0, 1> , an ordered set of variables V over a finite domain D, a constraint is a function which maps an assignment of the variables in the support of c, supp(c) to an element of A.
Notation c represents the constraint function c evaluated under instantiation , returning a semiring value.Given two constraints c1 and c2, their combination is defined as (c1c2) = c1×c2 .
The operation C represents the combination of a set of constraints C.a· b iff a+b=bc1 v c2 iff 8 c1 · c2
Stefano Bistarelli, Ugo Montanari and Francesca Rossi, Soft Concurrent Constraint Programming,Proceedings of ESOP-2002, LNCS, April 2002.
Stefano Bistarelli, Ugo Montanari and Francesca Rossi, Soft Concurrent Constraint Programming,Proceedings of ESOP-2002, LNCS, April 2002.