C. Edward Chow.ppt

1、C. Edward Chow,Security Policies,CS591 Chapter 5.2/5.4 of Security in Computing,Goals of Confidentiality Policies,Confidentiality Policies emphasize the protection of confidentiality. Confidentiality policy also called information flow policy, prevents unauthorized disclosure of information. Example

2、: Privacy Act requires that certain personal data be kept confidential. E.g., income tax return info only available to IRS and legal authority with court order. It limits the distribution of documents/info.,Discretionary Access Control (DAC),DAC: Mechanism where a user can set access control to allo

3、w or deny access to an object (Section 5.4) Also called Identity-based access control (IBAC). It is a traditional access control techniques implemented by traditional operating system such as Unix. Based on user identity and ownership Programs run by a user inherits all privileges granted to the use

4、r. Programs is free to change access to the users objects Support only two major categories of users: Completely trusted admins Completely untrusted ordinary users,Problems with DAC,Each users has complete discretion over his objects. What is wrong with that? Difficult to enforce a system-wide secur

5、ity policy, e.g. A user can leak classified documents to a unclassified users. Other examples? Only based users identity and ownership, Ignoring security relevant info such as Users role Function of the program Trustworthiness of the program Compromised program can change access to the users objects

6、 Compromised program inherit all the permissions granted to the users (especially the root user) Sensitivity of the data Integrity of the data Only support coarse-grained privileges Unbounded privilege escalation Too simple classification of users (How about more than two categories of users?),Manda

7、tory Access Control (MAC),MAC: Mechanism where system control access to an object and a user cannot alter that access. Occasionally called rule-based access control? Defined by three major properties: Administratively-defined security policy Control over all subjects (process) and objects (files, so

8、ckets, network interfaces) Decisions based on all security-relevant info MAC access decisions are based on labels that contains security-relevant info.,What Can MAC Offer?,Supports a wide variety of categories of users in system. For example, Users with labels: (secret, EUR, US) (top secret, NUC, US

9、). Here security level is specified by the two-tuple: (clearance, category) Strong separation of security domains System, application, and data integrity Ability to limit program privileges Confine the damage caused by flowed or malicious software Processing pipeline guarantees Authorization limits

10、for legitimate users,Mandatory and Discretionary Access Control,Bell-LaPadula model combines Mandatory and Discretionary Access Controls. “S has discretionary read (write) access to O”means that the access control matrix entry for S and O corresponding to the discretionary access control component c

11、ontains a read (write) right. A B C D O Q S read(D) T If the mandatory controls not present, S would be able to read (write) O.,Bell-LaPadula Model,Also called the multi-level model, Was proposed by Bell and LaPadula of MITRE for enforcing access control in government and military applications. It c

12、orresponds to military-style classifications. In such applications, subjects and objects are often partitioned into different security levels. A subject can only access objects at certain levels determined by his security level. For instance, the following are two typical access specifications: “Unc

13、lassified personnel cannot read data at confidential levels” and “Top-Secret data cannot be written into the files at unclassified levels”,Hierarchy of Sensitivities,Informal Description,Simplest type of confidentiality classification is a set of security clearances arranged in a linear (total) orde

14、ring. Clearances represent the security levels. The higher the clearance, the more sensitive the info. Basic confidential classification system:individuals documentsTop Secret (TS) Tamara, Thomas Personnel FilesSecret (S) Sally, Samuel Electronic MailsConfidential (C) Claire, Clarence Activity Log F

15、ilesRestrictedUnclassified (UC) Ulaley, Ursula Telephone Lists,Star Property (Preliminary Version),Let L(S)=ls be the security clearance of subject S. Let L(O)=lo be the security classification of object ). For all security classification li, i=0, k-1, lili+1 Simple Security Condition (Read Down): S

16、 can read O if and only if lo=ls and S has discretionary read access to O. *-Property (Star property) (Write Up): S can write O if and only if ls=lo and S has discretionary write access to O. TS guy can not write documents lower than TS. Prevent classified information leak. No Read UP; No Write Down

17、! But how can different groups communicate?,Basic Security Theorem,Let be a system with secure initial state 0 Let T be the set of state transformations. If every element of T preserves the simple security condition, preliminary version, and the *-property, preliminary version, Then every state i, i

18、0, is secure.,Categories and Need to Know Principle,Expand the model by adding a set of categories. Each category describe a kind of information. These categories arise from the “need to know” principle no subject should be able to read objects unless reading them is necessary for that subject to pe

19、rform its function. Example: three categories: NUC, EUR, US. Each security level and category form a security level or compartment. Subjects have clearance at (are cleared into, or are in) a security level. Objects are at the level of (or are in) a security level.,Security Lattice,William may be cle

20、ared into level (SECRET, EUR) George into level (TS, NUC, US). A document may be classified as (C, EUR) Someone with clearance at (TS, NUC, US) will be denied access to document with category EUR.,NUC, EUR, US,NUC, EUR,NUC, US,EUR, US,NUC,EUR,US,Dominate (dom) Relation,The security level (L, C) domi

21、nates the security level (L, C) if and only if L L and C C Dom dominate relation is false. Geroge is cleared into security level (S, NUC, EUR) DocA is classified as (C, NUC) DocB is classified as (S, EUR, US) DocC is classified as (S, EUR) George dom DocA George dom DocB George dom DocC,New Security

22、 Condition and *-Property,Let C(S) be the category set of subject S. Let C(O) be the category set of object O. Simple Security Condition (no read up): S can read O if and only if S dom O and S has discretionary read access to O. *-Property (no write down): S can write to O if and only if O dom S and

23、 S has discretionary write access to O. Basic Security Theorem: Let be a system with secure initial state 0 Let T be the set of state transformations. If every element of T preserves the simple security condition, preliminary version, and the *-property, preliminary version, Then every state i, i0,

24、is secure.,Allow Write Down?,Bell-LaPadula allows higher-level subject to write into lower level object that low level subject can read. A subject has a maximum security level and a current security level. maximum security level must dominate current security level. A subject may (effectively) decre

25、ase its security level from the maximum in order to communicate with entities at lower security levels. Colonels maximum security level is (S, NUC, EUR). She changes her current security level to (S, EUR). Now she can create document at Major is clearance level (S, EUR).,Data General B2 Unix System,

26、Data General B2 Unix (DG/UX) provides mandatory access controls (MAC). The MAC label is a label identifying a particular compartment. The initial label (assigned at login time) is the label assigned to the user in a database called Authorization and Authentication (A&A) Database. When a process begi

27、ns, it is assigned to MAC label of its parent (whoever creates it). Objects are assigned labels at creation. The labels can be explicit or implicit. The explicit label is stored as parts of the objects attributes. The implicit label derives from the parent directory of the object. IMPL_HI: the least

28、 upper bound of all components in DG/UX lattice has IMPL_HI as label. IMPL_LO: the greatest lower bound of all components in DG/UX lattice has IMPL_LO as the label,Three MAC Regions in DG/UX MAC Lattice,Figure 5-3 The three MAC regions in the MAC lattice (modified from the DG/UX Security Manual 257,

29、 p. 4-7, Figure 4-4). TCB stands for “trusted computing base.“,Accesses with MAC Labels,Read up and write up from users to Admin Region not allowed. Admin processes sanitize data sent to user processes with MAC Labels in the user region. System programs are in the lowest region. No user can write to

30、 or alter them. Only programs with the same label as the directory can create files in that directory. The above restriction will prevent compiling (need to access /tmp) mail delivery (need to access mail spool directory) Solution multilevel directory.,Multilevel Directory,A directory with a set of

31、subdirectories, one for each label. These hidden directories normally invisible to the user. When a process with label MAC_A creates a file in /tmp, it actually create a file in hidden directory under /tmp with label MAC_A The parent directory of a file in /tmp is the hidden directory. A reference t

32、o the parent directory goes to the hidden directory. Process A with MAC_A creates /tmp/a. Process B with MAC_B creates /tmp/a. Each of them performs “cd /tmp/a; cd ” The system call stat(“.”, &stat_buffer) returns different inode number for each process. It returns the inode number of the respective

33、 hidden directory. Try “stat” command to display file and related status. DG/UX provides dg_mstat(“.”, &stat_buffer) to translate the current working directory to the multilevel directory,Mounting Unlabeled File System,All files in that file system need to be labeled. Symbolic links aggravate this p

34、roblem. Does the MAC label the target of the link control, or does the MAC label the link itself? DG/UX uses a notion of inherited labels (called implicit labels) to solve this problem. The following rules control the way objects are labeled. Roots of file systems have explicit MAC labels. If a file

35、 system without labels is mounted on a labeled file system, the root directory of the mounted file system receives an explicit label equal to that of the mount point. However, the label of the mount point, and of the underlying tree, is no longer visible, and so its label is unchanged (and will beco

36、me visible again when the file system is unmounted). An object with an implicit MAC label inherits the label of its parent. When a hard link to an object is created, that object must have an explicit label; if it does not, the objects implicit label is converted to an explicit label. A corollary is

37、that moving a file to a different directory makes its label explicit. If the label of a directory changes, any immediate children with implicit labels have those labels converted to explicit labels before the parent directorys label is changed. When the system resolves a symbolic link, the label of

38、the object is the label of the target of the symbolic link. However, to resolve the link, the process needs access to the symbolic link itself.,Interesting Case with Hard Links,Let /x/y/z: and /x/a/b be hard links to the same object. Suppose y has an explicit label IMPL_HI and a an explicit label IM

39、PL_B. Then the file object can be accessed by a process at IMPL_HI as /x/y/z and by a process at IMPL_B as /x/alb. Which label is correct? Two cases arise. Suppose the hard link is created while the file system is on a DG/UX B2 system. Then the DG/UX system converts the targets implicit label to an

40、explicit one (rule 3). Thus, regardless of the path used to refer to the object, the label of the object will be the same. Suppose the hard link exists when the file system is mounted on the DG/UX B2 system. In this case, the target had no file label when it was created, and one must be added. If no

41、 objects on the paths to the target have explicit labels, the target will have the same (implicit) label regardless of the path being used. But if any object on any path to the target of the link acquires an explicit label, the targets label may depend on which path is taken. To avoid this, the impl

42、icit labels of a directorys children must be preserved when the directorys label is made explicit. Rule 4 does this. Because symbolic links interpolate path names of files, rather than store Mode numbers, computing the label of symbolic links is straightforward. If /x/y/z is a symbolic link to /a/b/

43、c, then the MAC label of c is computed in the usual way. However, the symbolic link itself is a file, and so the process must also have access to the link file z.,Enable Flexible Write in DG/UX,Provide a range of labels called MAC tuple. A range is a set of labels expressed by a lower bound and an u

44、pper hound. A MAC tuple consists of up to three ranges (one for each of the regions in Figure 5-3). Example: A system has two security levels. TS and S, the former dominating the latter. The categories are COMP. NUC, and ASIA. Examples of ranges are: (S, COMP ), (TS, COMP ) ( S, ), (TS, COMP, NUC. A

45、SIA ) ( S, ASIA ), ( TS, ASIA, NUC ) The label ( TS, COMP ) is in the first two ranges. The label ( S, NUC, ASIA ) is in the last two ranges. However, ( S, ASIA ), ( TS, COMP, NUC ) is not a valid range because ( TS, COMP. NUC ) dom ( S, ASIA ).,Formal Model,Let S be the set of subjects of a system

46、and let O be the set of objects. Let P be the set of rights r for read, a for write, w for read/write, and e for empty. Let M be a set of possible access control matrices for the system. Let C be the set of classifications (or clearances), let K be the set of categories, and let L = C x K be the set

47、 of security levels. Finally, let F be the set of 3-tuples (fs,fo,fc), where fs and, fc associate with each subject maximum and current security levels, respectively, and, fo, associates with each object a security level. The system objects may be organized as a set of hierarchies (trees and single

48、nodes). Let H represent the set of hierarchy functions h: OP(O). P(O) is the power set of O, i.e., the set of all possible subsets of O. The hierarchy functions have two properties: Let oi, oj, ok O. If oi oj, then h(oi) h(oj) = . There is no set o1, o2, ., ok O such that for each i = 1, ., k, oi+1

49、h(oi), and ok+1= o1.,Formal Model: State, Request,A state v V of a system is a 4-tuple (b, m, f, h), where b P(S x O x P) indicates which subjects have access to which objects, and what those access rights are: m M is the access control matrix for the current state; f F is the 3-tuple indicating the

50、 current subject and object clearances and categories; and h H is the hierarchy of objects for the current state. The difference between b and m is that the rights in m may be unusable because of differences in security levels; b contains the set of rights that may be exercised, and m contains the s

51、et of discretionary rights. R denotes the set of requests for access. Four outcomes of each request are possible: y for yes (allowed), n for no (not allowed), i for illegal request, and o for error (multiple outcomes are possible). D denotes the set of outcomes. The set W R x D x V x V is the set of actions of the system. This notation means that an entity issues a request in R, and a decision in D occurs, moving the system from one state in V to another (possibly different) state in V.,