02.security systems

Security Systems:Goals, Definitions,Requirements, and Principles

Chulantha Kulasekere

Department of Electronic and Computer EngineeringSri Lanka Institute of Information Technology

[email protected]

September 21,2013

ECK/2013 (SLIIT) FCCS September 21, 2013 1 / 68

Security Systems: Requirements

Putting in place an effective security system requires planning,resources and effort from all levels in an organization.Support from the management of an organization is key for a goodsecurity system because it is the only entity that can effectivelyprovide:

the list of assets and information that need to be protected to ensurethe continuity of the organization based on

risk analysisrisk mitigation

the resources to setup and maintain the system based onfunding for the equipment requiredfunding for the training + education of the staff

the means to enable enforcement of policy compliance and revisionauditingpolicy updating

The security program needs to:be driven by the management to have a better chance of beingeffective.to be developed in terms of the whole of the organization and thenrefined to fit the specific areas within the organization.


Security Systems: Requirements ....

A key aspect of the development and implementation iscommunication (between the security development team and the restof the organization).The security system requires:

information ownership to be clearly specifiedclear definition of staff responsibilitiespolicies to handle asset/information accessclear hierarchy and reporting procedure

Restrictions to to information/assets is done via:administrative controlstechnical controlsphysical controls

Example: critical security controls from SANShttp://www.sans.org/critical-security-

controls/guidelines.php


Key Concepts

Threat:

Any circumstance or event with the potential to adversely impactorganizational operations (including mission, functions, image, orreputation), organizational assets, or individuals through an informationsystem via unauthorized access, destruction, disclosure, modification ofinformation, and/or denial of service

Vulnerability

Weakness in an information system, system security procedures,internal controls, or implementation that could be exploited ortriggered by a threat source

Risk

a situation involving exposure to danger.

Incident: An incident is the result of a successful attack

Countermeasure:

any organizational action or tool able to mitigate a risk deriving fromone or more attack classes intended to exploit one or more classes ofvulnerabilities.


Security System Principles

Effective security programs are shaped by the organization’s short andlong term objectives.

All effective programs are based on the AIC (or CIA) principles triad:

AvailabilityIntegrityConfidentiality

The security measures put in place to attempt to:

provide support for the AIC principlesaddress the threats that may compromise or more of the AIC principles


Availability Principle

What does the principle of Availability entail?

All systems should perform in a predictable manner and with thecondition that the performance is of an acceptable level.

Three causes of availability problems:software

denied access to information resulting in software non availabilitydenied access due to strong encryption

hardware

Denial of services due to DDOS attacksDenial of service due to hardware non availability

unexpected circumstances

Unexpected circumstances as a result of a natural eventUnexpected circumstances as a result of human caused disaster


Addressing Availability

To address the problem of service denial one can deploy securitysolutions specifically aimed at DDOS attacks.

To address the problem of service provision failure one can employfault tolerant computer systems.


Integrity Principle

What does the principle of Integrity entail? :– No unauthorizedmodification is permitted and the information provided both accurateand reliable.

Requires a combination of hardware, software and communicationmethods to ensure that the data is not compromised.

Carefully developed controls are key to preventing data integrityproblems.

The integrity of the data can be compromised either by mistake orwith specific intent.

From a commercial software development point of view, the integrityprinciple can be further refined in terms of:

a) whether the information is validb) whether the data has been compromisedc) whether the data source can be determined and verified


Addressing Integrity

The ensure the integrity of information an auditing procedure must bein place in conjunction with a separation of both functions and duties.

Separation of duties and functions - why is it important and how doesit help with the system security?

To compromise the security setup, a concerted effort from multiplestaff is required - the larger the number of staff required the smallerthe likelihood that the security will be breached

Auditing - why is it important and how does it help with the systemsecurity?

Having a simple and clear procedure to gain access toinformation/resources reduces the chances that access can be obtainedwithout proper authorization and without detection.


Confidentiality Principle

What does the principle of Confidentiality entail?

The secrecy of the data is maintained at all times.

The privacy of the data can be protected through a combination ofdata access control and encryption.

The secrecy can be compromised in several ways:

malwareintrudersinsecure networkspoorly administered systems.packet capturesocial engineeringpassword attacks


Addressing Confidentiality

Encryption and access control

RSA

DES

Diffie–Hellman


Universal security principles: Commonly used methodsLeast Privilege

Motto: Do not give any more privileges than absolutely necessary todo the required job

It applies not only to privileges of users and applications on acomputer system, but also to other non- information systemsprivileges of an organizations staff

The principle of least privilege is a preventive control, because itreduces the number of privileges that may be potentially abused andtherefore limits the potential damage

Some examples of application of this principle include the following:

Giving users only read access to shared files if that’s what they need,and making sure write access is disabledNot allowing help desk staff to create or delete user accounts if all thatthey may have to do is to reset a passwordNot allowing software developers to move software from developmentservers to production servers


Universal security principles: Commonly used methodsDefense in Depth

The principle of defense in depth is about having more than one layeror different types of defense cascaded.

Even if one layer is breached, the next layer will hold out. Hencedifficulty of breaching increases.An example application is to use a firewall and IPSEC encryption

using a firewall between the Internet and your LAN, plus the IP SecurityArchitecture (IPSEC) to encrypt all sensitive traffic on the LAN.Firewall and the data encryption both have to be compromised. Hard.

A suggested methodfirst use preventive controls:second use detective controls to check on preventive control breachthird use corrective controls to help you respond effectively to securityincidents and contain damageIt does not mean indiscriminately application of controls. A balancehas to be found between security provided and the financial, human,and organizational resources you are willing to expend following it.(some IT people use a lot to make life easier for them)


Universal security principles: Commonly used methodsMinimization

The minimization principle is the cousin of the least privilege principleand mostly applies to system configuration

do not run any software, applications, or services that are not strictlyrequired to do the entrusted job

a computer whose only function is to serve as an e-mail server shouldhave only e-mail server software installed and enabled. All otherservices and protocols should either be disabled or not installed at allto eliminate any possibility of compromise or misuse

minimization principle not only increases security but usually alsoimproves performance, saves storage space, and is a good systemadministration practice in general.

Examples : See unix security best practices.


Universal security principles: Commonly used methodsKeep Things Simple

Complexity is the worst enemy of security. Complex systems areinherently more insecure because they are difficult to design,implement, test, and secure

complexity of information systems and processes is bound to increasewith our increasing expectations of functionality, we should be verycareful to draw a line between avoidable and unavoidable complexityand not sacrifice security for bells and whistles

One can deliver a simple system via security audits to match theeffort with threat.


Universal security principles: Commonly used methodsCompartmentalization

Use of compartments (also known as zones, jails, sandboxes, andvirtual areas), is a principle that limits the damage and protects othercompartments when software in one compartment is malfunctioningor compromised

Compartmentalization in the information security context means thatapplications run in different compartments are isolated from eachother

Examples of this are:

Zones in Solaris 10 implement the compartmentalization principle andare powerful security mechanisms.If you have root privileges, you can basically do anything you want. Ifyou don’t have root access, there are restrictions. For example, youcan’t bind to ports under 1024 without root accessSimilarly, you can’t directly access a lot of operating systemresources—for example, you have to go through a device driver to writeto a disk; you can’t deal with it directly.


Universal security principles: Commonly used methodsUse Choke Points

Choke points are logical narrow channels that can be easily monitoredand controlled

An example of a choke point is a firewall

Virtual private network (VPN) and dial-in access points

The Windows domain controller is an application choke point

If every employee is in direct contact with everyone else in the world,then there is a great potential for a social engineering attack toperform. Employees are not allowed to directly contact the outsideworld during business hours.


Universal security principles: Commonly used methodsFail Securely

Failing securely means that if a security measure or control has failedfor whatever reason, the system is not rendered to an insecure state.

For example, when a firewall fails, it should default to a deny all rule,not a permit all rule.

However, fail securely does not mean “close everything” in all cases;if we are talking about a computer-controlled building access controlsystem, for example, in case of a fire the system should default to“open doors” if humans are trapped in the building

In this case, human life takes priority over the risk of unauthorizedaccess, which may be dealt with using some other form of control thatdoes not endanger the lives of people during emergency situations.


Universal security principles: Commonly used methodsLeverage Unpredictability

You should not publicize the details of your security measures anddefenses.

This principle should not be seen as contradicting deterrent securitycontrols—controls that basically notify everyone that securitymechanisms are in place and that violations will be resisted, detected,and acted upon.

In practical terms, this means you can, for example, announce thatyou are using a firewall that, in particular, logs all traffic to and fromyour network, and these logs are reviewed by the organization—thereis no need to disclose the type, vendor, or version number of thefirewall; where it is located; how often logs are reviewed; and whetherany backup firewalls or network intrusion detection systems are inplace.


Universal security principles: Commonly used methodsSegregation of Duties

The purpose of the segregation (or separation) of duties is to avoidthe possibility of a single person being responsible for differentfunctions within an organization, which when combined may result ina security violation that may go undetected.

No single person should be able to violate security and get away withit

Rotation of duties is a similar control that is intended to detect abuseof privileges or fraud and is a practice to help your organization avoidbecoming overly dependent on a single member of the staff.

By rotating staff, the organization has more chances of discoveringviolations or fraud.

Doors of the Shrine.


What is access control?

It is granting or denying approval to use specific resources; it iscontrolling access

The mechanism used in an information system to allow or restrictaccess to data or devices

Illustrated via an exampled of a FedEx delivery man picking up aparcel from a home


Terminology of access control

Object. An object is a specific resource, such as a file or a hardwaredevice.

Subject. A subject is a user or a process functioning on behalf of theuser that attempts to access an object.

Operation. The action that is taken by the subject over the object iscalled an operation. For example, a user (subject) may attempt todelete (operation) a file (object).


Roles in access control


Roles in access control ...


Types of Controls to ensure AIC principles are notcompromised

Central to information security is the concept of controls, which maybe categorized by their functionality (preventive, detective, corrective,deterrent, recovery, and compensating, in this order) and plane ofapplication (physical, administrative, or technical).

Physical controls include doors, secure facilities, fire extinguishers,flood protection, and air conditioning.

Administrative controls are the organization’spolicies, procedures, andguidelines intended to facilitate information security.

Technical controls are the various technical measures, such asfirewalls, authentication systems, intrusion detection systems, and fileencryption, among others.


Types of Controls

Preventive Control: Preventive controls try to prevent securityviolations and enforce access control. Like other controls, preventivecontrols may be physical, administrative, or technical: doors, securityprocedures, and authentication requirements are examples of physical,administrative, and technical preventive controls, respectively.

Detective Controls: Detective controls are in place to detect securityviolations and alert the defenders. They come into play whenpreventive controls have failed or have been circumvented and are noless crucial than detective controls. Detective controls includecryptographic checksums, file integrity checkers, audit trails and logs,and similar mechanisms.

Compensating Controls Compensating controls are intended to bealternative arrangements for other controls when the original controlshave failed or cannot be used. When a second set of controlsaddresses the same threats that are addressed by another set ofcontrols, the second set of controls are compensating controls.


Types of Controls ....Corrective Controls: Corrective controls try to correct the situationafter a security violation has occurred. Although a violation occurred,not all is lost, so it makes sense to try and fix the situation.Corrective controls vary widely, depending on the area being targeted,and they may be technical or administrative in nature.Deterrent Controls: Deterrent controls are intended to discouragepotential attackers and send the message that it is better not toattack, but even if you decide to attack we are able to defendourselves. Examples of deterrent controls include notices ofmonitoring and logging as well as the visible practice of soundinformation security management.Recovery Controls: Recovery controls are somewhat like correctivecontrols, but they are applied in more serious situations to recoverfrom security violations and restore information and informationprocessing resources. Recovery controls may include disaster recoveryand business continuity mechanisms, backup systems and data,emergency key management arrangements, and similar controls.


Access Control ModelsMandatory Access Control (MAC)

Takes a stricter approach to access control. Mandatory accesscontrols specified in a system-wide security policy are enforced by theoperating system and applied to all operations on that system. Userdoes not have the discretion.It has two key elements

Labels. In a system using MAC, every entity is an object (laptops,files, projects, and so on) and is assigned a classification label. Theselabels represent the relative importance of the object, such asconfidential, secret, and top secret. Subjects (users, processes, and soon) are assigned a privilege label (sometimes called a clearance).Levels. A hierarchy based on the labels is also used, both for objectsand subjects. Top secret has a higher level than secret, which has ahigher level than confidential.

This is compartmentalization. As it is harder to implementMAC-based systems are typically used in government, military, andfinancial environments, where higher than usual security is requiredand where the added complexity and costs are tolerated


Access Control ModelsMandatory Access Control (MAC) ....

The implementation strategy of MAC is as follows

It grants permissions by matching object labels with subject labelsbased on their respective levels.To determine if a file can be opened by a user, the object and subjectlabels are compared.The subject must have an equal or greater level than the object in orderto be granted access. For example, if the object label is top secret, yetthe subject only has a lower secret clearance, then access is denied.Subjects cannot change the labels of objects or other subjects in orderto modify the security settings.

Major implementations of MAC are

Lattice model: Security levels for objects and subjects are ordered as alattice.Bell-LaPadula confidentiality model: Advanced version of the latticemodel (actually this uses a mix of MAC and DAC)


Access Control ModelsMandatory Access Control (MAC) ....

A limited functional example of MAC is seen in Apple Mac OS X,UNIX, and Microsoft Windows 7/Vista

Microsoft Windows implementation has four security levels—low,medium, high, and system

Nonadministrative user processes run by default at the medium level

Specific actions (such as installing application software) by a subjectwith a lower classification (such as a standard user) may require ahigher level (such as high) of approval

This approval invokes the Windows User Account Control (UAC)function

A standard user needs to enter the admin password to elevate itsprivileges to a higher level before installing

UAC attempts to match the subject’s privilege level with that of theobject


Access Control ModelsDiscretionary Access Control (DAC)

MAC is the most restrictive model, the DAC model is the leastrestrictive. However widely used.With the DAC model, every object has an owner, who has totalcontrol over that object.The owner (creator) of information (file or directory) has thediscretion to decide about and set access control (create and accessobjects, owner can give permission to others to use them as well)restrictions on the object in question—which may, for example, be afile or a directory. (Unix: chmod)Flexibility of a user deciding the access is an advantage. However itsa disadvantage too as users may take wrong decisions.Example: with DAC, User X could access the filesEMPLOYEES.XLSX and SALARIES.XLSX as well as paste thecontents of EMPLOYEES.XLSX into a newly created documentMYDATA.XLSX. User X could also give User Y access to all of thesefiles, but only allow User Z to read EMPLOYEES.XLSX.


Access Control ModelsDiscretionary Access Control (DAC) ...

Two significant drawbacks in this systemDAC relies on decisions by the end user to set the proper level ofsecurity. As a result, incorrect permissions might be granted to asubject or permissions might be given to an unauthorized subjectThe subject’s permissions will be inherited by any programs that thesubject executes.

Attackers can take advantage of this inheritance as end users in theDAC model often have a high level of privileges.

Examples: Malware that is downloaded onto a user’s computer wouldthen run in the same context as the user’s high privileges. eg. Trojansare a particular problem with DAC.

One method of controlling DAC inheritance is to automatically reducethe user’s permissions. For example, Microsoft Windows 7 usesInternet Explorer Protected Mode which prevents malware fromexecuting code through the use of elevated privileges without theusers explicit recommendation.


Access Control ModelsRole-Based Access Control (RBAC)

Rights and permissions are assigned to roles instead of individualusers. Sometimes called Non-Discretionary Access Control

This added layer of abstraction permits easier and more flexibleadministration and enforcement of access controls

Eg., access to marketing files may be restricted to the marketingmanager role only, and users Kamal, and Upul may be assigned therole of marketing manager

Later, when Kamal moves from the marketing department elsewhere,it is enough to revoke his role of marketing manager; no otherchanges would be necessary

This is the permissions model used in Microsoft Exchange Server2013.

Additionally there is another variant called Rule Based Access Control(RBAC)


Implementing Access ControlInclass independent work

Other models: Attribute based access control, Policy based accesscontrol, Risk adaptive access control etc.

User unix setfacl and getfacl to test access control lists.

Identify the use of RADIUS (Remote Authentication Dial In UserService) as a method to provide authentication based access control(method, use and weaknesses)

Identify the use of kerberose as a method of access control viaidentification and verification of network users (method, use andweaknesses)

Identify Lightweight Directory Access Protocol (LDAP) (X.500 Lite)as an access control mechanism (method, use and weaknesses)

X.800-191.3 standard services

Explain how the access control lists are managed via a matrix


Lets look at how the label based access control works

MLS or Multilevel security is an implementation of the label basedaccess control

The following example is based on confidentiality (unauthorized eyescannot see) and disregards integrity and availability

First step is categorize data

Objects are an ordered list with labels: Unclassified, Confidential,Secret, Top-SecretSubjects (these express a membership in an interest group) are anunordered set with labels: Crypto, Nuclear, Janitorial, Personnel

Example of two documents with associated labels

(Secret: {Nuclear, Crypto})– contains somewhat sensitive informationrelated to the categories Nuclear and Crypto(Top Secret: {Crypto})–contains very sensitive information in categoryCrypto.

A question we suggested for confidentiality policies is: How do Icharacterize who is authorized to see what?


Lets look at how the label based access control works ...

Then each individual desirous of accessing this information will have

a hierarchical security level indicating the degree of trustworthiness towhich he or she has been vetted;a set of “need-to-know categories” indicating domains of interest inwhich he or she is authorized to operate.

The labels on documents indicate the sensitivity of the containedinformation; “labels” on humans indicate classes of information thatperson is authorized to access.

The need-to-know-categories is an implementation of the Principle ofLease Privilege

Now lets look at how the access is controlledClarence (Subject) Sensitivity (Object) Access

(Secret:{Crypto}) (Confidential:{Crypto}) Yes

(Secret:{Crypto,Nuclear}) Top-Secret:{Crypto}) No

(Secret:{Nuclear}) (Unclassified:{}) Yes



To control access by Subjects to Objects, we need “labels” for both.

For Objects the labels indicate the sensitivity of the informationcontained.

For Subjects, the labels indicate the authorization (clearance) to viewcertain classes of information.

A Subject should be given the minimal authorization to perform thejob assigned. (Least Privilege)

Whether an Subject should be able to view a specific Object dependson a relationship between the label of the Object and the clearance ofthe Subject.



Mathematically, it uses the dominate rules: Given a set of securitylabels (L,S), comprising hierarchical levels and categories, we candefine an ordering relation among labels.

(L1, S1) dominates (L2,S2) iff

L1 ≥ L2 in the ordering on levels, andS2 ⊆ S1

We usually write (L1,S1) ≥ (L2, S2).

Note that this is a partial order, not a total order. I.e., there aresecurity labels A and B such that neither A ≥ B nor B ≥ A.


Implementations Access Control Models

Bell-LaPadula model

Biba model

Clark-Wilson model

Chinese wall model


Bell-LaPadula Model (BLP)

The BLP is a state machine model used for enforcing access controlin government and military applications

It was developed by David Elliott Bell and Leonard J. LaPadula

The Bell-LaPadula model focuses on data confidentiality andcontrolled access to classified information

It defines two MAC rules and one DAC rule:

The Simple Security Property (ss-property)- a subject at a givensecurity level may not read an object at a higher security level (noread-up).The ∗-property - a subject at a given security level must not write toany object at a lower security level (no write-down). The ∗-property isalso known as the Confinement property.The Discretionary Security Property (ds-property) - An individual (orrole) may grant to another individual (or role) access to a documentbased on the owner’s discretion, constrained by the MAC rules. Usingan ACL.


Bell-LaPadula Model (BLP) ....Breach of confidentiality: Read from high and write to low


Bell-LaPadula Model (BLP) ....Scenario: Consider a restrictive classification which has label orderingRegular < Secret < Top-secret < Double-Z Top Secret.

The first rule says that you can’t read documents if you don’t have ahigh enough classification level. Hence if you have a ”Secret”clearance, then you can read ”Secret” and ”Regular” documents, butyou can’t read ”Top Secret” or ”Double-Z Top Secret” documents.The simple description of this rule is ”no read-up.”The second rule says that you can’t write documents lower than yourclassification level. But you can write documents higher than yourclassification level, you still can’t read them. So again if you have a”Secret” classification level, you can write to ”Secret,” ”Top Secret,”and ”Double-Z Top Secret”, but you can’t write to ”Regular”. Thesimple description of this rule is ”no write-down.”The third rule just allows for much more fine-grained access, within anaccess level, the system uses an access control matrix to limit. For eg.a Top-Secret label may not be allowed to access all documentsassociated with Top-Secret label. According to the matrix can the userdelete the file? Write to the file? Read from the file? Is the user theowner of the file?


Issues with Bell-LaPadula Model

The transfer of information from a high-sensitivity document to alower-sensitivity document may happen in the Bell-LaPadula modelvia the concept of trusted subjects. Trusted Subjects are notrestricted by the *-property. Untrusted subjects are.

Suppose someone with access to a Top Secret document copies theinformation onto a piece of paper and sticks it into an Unclassifiedfolder

Only addresses confidentiality, control of writing (one form ofintegrity), ∗-property and discretionary access control

Covert channels such as Trojan horses and Requesting systemresources to learn about other users are mentioned but are notaddressed comprehensively

The tranquility principle (The tranquility principle of theBell–LaPadula model states that the classification of a subject orobject does not change while it is being referenced) limits itsapplicability to systems where security levels do not changedynamically.


Issues with Bell-LaPadula Model ...

Assume you could somehow change an object’s label from (TopSecret: { Crypto }) to (Unclassified: {}) independent of the object’scontents. This would clearly violate confidentiality.

The Tranquility principle has two flavors

The Strong Tranquility Property: Subjects and objects do not changelabels during the lifetime of the system.The Weak Tranquility Property: Subjects and objects do not changelabels in a way that violates the “spirit” of the security policy.

Suppose your system includes a command to lower the level of aobject in an unconstrained way. Does that violate the goals of simplesecurity or the ∗-property?

Suppose your system includes a command to raise the level of aobject in an unconstrained way. Does that violate the goals of simplesecurity or the ∗-property?


Bell-LaPadula Model in Mathematics

The Simple Security Property: Subject S with clearance (LS ,CS) maybe granted read access to object O with classification (LO ,CO) only if(LS ,CS) ≥ (LO ,CO).

The ∗-Property: Subject S with clearance (LS ,CS) may be grantedwrite access to object O with classification (LO ,CO) only if(LS ,CS) ≤ (LO ,CO).


Bell-LaPadula Model Example

Consider a BLP system with three subjects and three objects togetherwith the ordering H > L

Subjects Level Objects Level

Sub1 (H:{A,B,C}) Obj1 (L:{A,B,C})Sub2 (L:{}) Obj2 (L:{})Sub3 (L:{A,B}) Obj3 (L:{B,C})

The corresponding access control matrix is

Obj1 Obj2 Obj3

Sub1 R R R

Sub2 W R,W W

Sub3 W R -


Lattice Based Models

The labels when they are organized in a structure is called a lattice.

It is a partial ordering which satisfies the transitive property (if a ≤ b,and b ≤ c then a ≤ c) and antisymmetric property (if a ≤ b andb ≤ a, then a = b)

A simple lattice example for factors of 60


Lattice Based Models...


The Biba ModelSimilar to BLP but focus is on integrity, not confidentialityOn analogy with BLP, bad (low integrity) information can flow into agood (high integrity) object if:

a low integrity subject writes bad information into a high integrityobject; ora high integrity subject reads bad information from a low integrityobject.

Reviews distinction between military and commercial policyMilitary policy focus on confidentialityCommercial policy focus on integrity

For modeling purposes, as we did with the confidentiality, we assignintegrity labels

An object’s label characterizes the degree of “trustworthiness” of theinformation contained in that object: Eg. Gossip overheard on theroadside should have lower credibility than a report from a panel ofexperts.A subject’s label measures the confidence one places in its ability toproduce / handle information: Eg. A certified application may havemore integrity than freeware downloaded from the Internet.


The Biba Model...

Intuitively, integrity relates to how much you trust an entity toproduce, protect, or modify data.

It uses the following principles: Separation of duty and functions,Auditing.

Integrity labels look like BLP confidentiality labels.

A hierarchical component gives the level of trustworthiness.A set of categories provides a list of domains of relevant competence.

Example: A lecturer might have integrity label: (Expert:Management) meaning that he has a very high degree of credibility inManagement expertise. But there’s no particular reason to trust hisopinion on a matter of Politics or Drama.

This suggests, by analogy with the BLP rules, a subject shouldn’t beallowed to “write up” in integrity or to “read down” in integrity.


The Biba Model...

Ken Biba (1977) proposed three different integrity access controlpolicies.

The Low Water Mark Integrity Policy (for objects and subjects andintegrity audit)The Ring PolicyStrict Integrity (this is the one which is called the Biba Integrity Model)

Mathematically the Biba model can be given as

Simple Integrity Property: Subject S can read object O only ifI (S) ≤ I (O)—subject can only read objects at its own integrity level orabove.Integrity ∗-Property: Subject S can write to object O only ifI (O) ≤ I (S)—a subject can only write objects at its own integrity levelor below.

This means that a subject’s integrity cannot be tainted by readingbad (lower integrity) information; a subject cannot taint more reliable(higher integrity) information by writing into it.


Biba Model Example

Since this is an access control policy, it can be represented as anaccess control matrix. Suppose H > L are hierarchical integrity levels.

Subjects Level Objects Level

Sub1 (H:{A,B,C}) Obj1 (L:{A,B,C})Sub2 (L:{}) Obj2 (L:{})Sub3 (L:{A,B}) Obj3 (L:{B,C})

The corresponding access control matrix is

Obj1 Obj2 Obj3

Sub1 W W W

Sub2 R R,W R

Sub3 R W -

To protect confidentiality and integrity, one could use both BLP andBiba’s Strict Integrity policy: That is, need confidentiality labels andintegrity labels for all subjects and objects. Access is allowed only ifallowed by both the BLP rules and the Biba rules.


BLP versus Biba Model

The Bell-LaPadula model is used to provideconfidentiality. The Biba model is used to

provide integrity. The Bell-LaPadula and Bibamodels are informational flow models becausethey are most concerned about data flowing

from one level to another. Bell-LaPadula usessecurity levels and Biba uses integrity levels.

A tip to remember: if the word “simple” is used,the rule is talking about reading. If the rule uses

a “star”, it is talking about writing.


Independent Work on Security Models

Biba’s Low Water Mark Integrity Policy

Bibas Ring Policy

Take-Grant Model (this is a DAC model)

Lipner’s Integrity Matrix Models (which combines the Bell model andthe Biba model)

Graham Denning Model

Note that most of the above policies are commercially applicable policiesso they are more DAC than MAC.


Biba Model Mandatory PoliciesLow-Watermark Policy for Subjects

Its a relaxed “no-read-down”

It does not restrict a subject from reading objects however itdynamically lowers the integrity level of a subject based on whatobjects are observed.

One short coming of the policy: If a subject observes a less trustedobject, it will drop the subjects integrity level to that of the object.Later for any reason the subject cannot observe a higher integritylevel object even though one legitimately needs too.


Biba Model Mandatory PoliciesLow-Watermark Policy for Objects

Its a relaxed “no write-down”

Any subject may modify any object, regardless of integrity levels andits not prevented In reality policy is not very practical.

If a subject modifies an object at higher integrity level (a more trustedobject), it results in the transaction being recorded in an audit log.

The object integrity level is lowered.


Biba Model Mandatory PoliciesRing policy

The Ring Policy allows any subject to observe any object. This policyis only concerned with direct modification.

The drawback to this policy is it allows improper modifications toindirectly take place.

A subject can read a less trusted object. Then the subject couldmodify the data it observed at its own integrity level.

An example of this would be a user reading a less trusted object, thenremember the data that they read and then at a later time writingthat data to an object at their own integrity level.


Clark and Wilson Model

David Clark and David Wilson (1987) argued that commercialsecurity has its own unique concerns and merits a model crafted forthat domain.

Clark and Wilson claimed that the following are four fundamentalconcerns of any reasonable commercial integrity model:

Authentication: identity of all users must be properly authenticated.Audit: modifications should be logged to record every programexecuted and by whom, in a way that cannot be subverted.Well-formed transactions: users manipulate data only in constrainedways. Only legitimate accesses are allowed.Separation of duty: the system associates with each user a valid set ofprograms they can run and prevents unauthorized modifications, thuspreserving integrity and consistency with the real world.


Clark and Wilson Model.....

The policy is constructed in terms of the following categories:

Constrained Data Items: CDIs are the objects whose integrity isprotectedUnconstrained Data Items: UDIs are objects not covered by theintegrity policyTransformation Procedures: TPs are the only procedures allowed tomodify CDIs, or take arbitrary user input and create new CDIs.Designed to take the system from one valid state to another.Integrity Verification Procedures: IVPs are procedures meant to verifymaintenance of integrity of CDIs.

It uses two kinds of rules, viz certification and enforcement, to controlaccess.


Clark and Wilson Model Policy RulesC1: IVP Certification – The system will have an IVP for validating theintegrity of any CDI. i.e. All IVPs must ensure that CDIs are in a validstate when the IVP is run.C2: Validity – The application of a TP to any CDI must maintain theintegrity of that CDI. CDIs must be certified to ensure that they resultin a valid CDI. i.e. All TPs must be certified as integrity-preserving.C3: Modification – A CDI can only be changed by a TP. TPs must becertified to ensure they implement the principles of separation of dutiesand least privilege. i.e. Assignment of TPs to users must satisfyseparation of duty.C4: Journal Certification – TPs must be certified to ensure that theiractions are logged. i.e. The operation of TPs must be logged.C5: TPs which act on UDIs must be certified to ensure that theyresult in a valid CDIE1: Enforcement of Validity – Only certified TPs can operate on CDIsE2: Enforcement of Separation of Duty – Users must only access CDIsthrough TPs for which they are authorizedE3: User Identity – The system must authenticate the identity of eachuser attempting to execute a TPE4: Initiation – Only administrator can specify TP authorizations


Clark and Wilson Model Implementation

Permissions are encoded as a set of triples of the form: (user, TP,{CDI set}), where user is authorized to perform a transactionprocedure TP, on the given set of constrained data items (CDIs).

Each triple in the policy must comply with all applicable certificationand enforcement rules.

Handling of untrusted inputs: Any TP that takes as input a UDI mayperform only valid transformations, or no transformations, for allpossible values of the UDI. The transformation either rejects the UDIor transforms it into a CDI

For example, in a bank ATM, numbers entered at the the keyboard areUDIs so cannot be input to TPs as such. TPs must validate numbers(to make them a CDI) before using them; if validation fails, TP rejectsUDI


Clark and Wilson Model Implementation ...

Separation of duties: Only the certifier of a TP may change the list ofentities associated with that TP. No certifier of a TP, or of an entityassociated with that TP, may ever have execute permission withrespect to that entity

Enforces separation of duty with respect to certified and allowedrelations.

Ensuring integrity:

Provides an assurance that CDIs can be modified only in constrainedways (Ensured by rules C1, C2, C5, and E1 and E4)Provides an ability to control access to resources (Ensured by rules C3and E2 and E3)Provides an ability to ascertain after the fact that changes to CDIs arevalid and the system is in a valid state (Provided by rules C1 and C4)Provides an ability to uniquely associate an user to her/his action(Enforced by rule E3)


Chinese Wall Model

Brewer and Nash (1989) proposed the policy which addresses aconflicts of interest problem. Strictly speaking, this is not an integritypolicy, but an access control confidentiality policy.

The Chinese Wall Model is an idea that stems from the ability to reador write information. The main idea is that you are able to access anyinformation you want from any company but once you access thatinformation, you are no longer allowed to access information fromanother company within that class of companies.

The security policy builds on three levels of abstraction.Objects such as files. Objects contain information about only onecompany.Company groups collect all objects concerning a particular company.Conflict classes cluster the groups of objects for competing companies.

For example, consider the following conflict classes:{ Dialog, Mobitel, Airtel }{ Central Bank, HNB, HSBC }{ Microsoft }


Chinese Wall Model....

We have a simple access control policy: A subject may accessinformation from any company as long as that subject has neveraccessed information from a different company in the same conflictclass.

For example, if you access a file from Dialog, you subsequently will beblocked from accessing any files from Mobitel or Airtel. You are freeto access files from companies in any other conflict class.

Notice that permissions change dynamically. The access rights thatany subject enjoys depends on the history of past accesses.


Policy Rules for Chinese Wall Model

(Chinese Wall) Simple Security Rule: A subject s can be grantedaccess to an object o only if the object:

is in the same company datasets as the objects already accessed by s,that is, “within the Wall,” orbelongs to an entirely different conflict of interest class.

(Chinese Wall) ∗-property: Write access is only permitted if:

access is permitted by the simple security rule, andno object can be read which is:

in a different company dataset than the one for which write access isrequested, andcontains unsanitized information.

The Chinese Wall is an access control policy in which accesses aresensitive to the history of past accesses.


The concept of a Trusted System

The models described above are all aimed at enhancing the trust thatusers and administrators have in the security of a computer system.

Some definitions

Trust: The extent to which someone who relies on a system can haveconfidence that the system meets its specifications (i.e., that thesystem does what it claims to do and does not perform unwantedfunctions).Trusted system: A system believed to enforce a given set of attributesto a stated degree of assurance.Trusted computing base (TCB): A portion of a system that enforcesa particular policy. The TCB must be resistant to tampering andcircumvention. The TCB should be small enough to be analyzedsystematically.

The trust domain security rules specify the conditions:

for generating informationfor maintaining information privacyfor maintaining information integrity


The reference monitor

Initial implementations used something called a Reference Monitor toimplement a TCS.

The reference monitor enforces the security rules (no read up, nowrite down) and has the following properties:

Complete mediation: The security rules are enforced on every access,not just, for example, when a file is opened.Isolation: The reference monitor and database are protected fromunauthorized modification.Verifiability: The reference monitor’s correctness must be provable.That is, it must be possible to demonstrate mathematically that thereference monitor enforces the security rules and provides completemediation and isolation.

It is noted that these are very restrictive and the solution may bepartly hardware based.


The reference monitor ....


Education

02.security systems