CSCI262/CSCI862 Spring-2020

System Security (S3b2)

Access control II con’t:

1
 Definition: A lattice (L, ≤) consists of a set L
and a partial order ≤ (generally a reflexive,
antisymmetric, and transitive relation), so
that for every two elements a, b ∈ L there
exists:
– A least upper bound u ∈ L.
This is AND
– A greatest lower bound l ∈ L.
 Formally:
a ≤ u, b ≤ u, and for all v ∈ L : (a ≤ v ∧ b ≤ v)  (u ≤ v)
l ≤ a, l ≤ b, and for all k ∈ L : (k ≤ a ∧ k ≤ b)  (k ≤ l)
2
Properties of the relation ≤
 Reflexive: a ≤ a.
 Antisymmetric: If a ≤ b and b ≤ a then a = b.
 Transitive: If a ≤ b and b ≤ c then a ≤ c.

 An important term:
 If a ≤ b, b dominates a  b dom a
– Domination can be interpreted as meaning
requiring a higher security level. 3
Another example

4
Lattice diagram for S = {1,2,3}


5
 S= {1,2,3}

{1,2} {1,3} {2,3}

{1} {2} {3}

{∅}
6
Access Control Models

 Confidentiality based security models

– BLP model
 Integrity based security models
– Biba model

7
BLP Model

 A confidentiality based security model

 Goal: Prevent information flow from
“high” security levels to “low” security
levels.
 Focus on mandatory and discretionary
access control.
 Rule: No write down, no read up

8
 BLP Security Policy
 A state is secure if it satisfies
– Simple security condition (no read up):
• S can read O iff fo(O) ≤ fc(S)
– The Start property (no write down):
• S can read O iff fc(S) ≥ fo(O) (no read up)
• S can write O iff fc(S) ≤ fo(O) (no write down)
– Discretionary security property:
• Every access is allowed by the access matrix
 A system is secure if and only if every
reachable state is secure 9
10
Criticism of McLean
 What happens if we
– downgrade all subjects to lowest security level
– downgrade all objects to lowest security level
– enter all access rights in the ACM M
 Is the system secure?

11
 Tranquility
 Consider a system with s1,s2,o1,o2
– fs(s1)=fc(s1)=fo(o1)=high
– fs(s2)= fc(s2)= fo(o2) =low
 And the following execution:
– s1 gets access to o1, read something, release
access, then change current level to low, get
write access to o2, write to o2
 Every state is secure
 Solution: tranquillity principle: subject cannot
change current levels, or cannot drop to below the
highest level read so far 12
 Covert channels
 is a type of attack that creates a capability
to transfer information objects between
processes that are not supposed to be
allowed to communicate by the computer
security policy.
 Require two active agents, one at a low
level and the other at a high level and an
encoding scheme to pass on information
about the high level to the low level
13
 Low-level subject s1 creates object o
 High-level accomplice s2 either
– reclassifies o to its own level (Message 1)
– leaves o unchanged (Message 0)
 s1 tries to access o, which is either
– success (Message 0)
– access denied (Message 1)
 One bit of information is transmitted s2 → s1

14
 The concern is with subjects not users
– Users are trusted (must be trusted) not to
disclose secret information outside of the
computer system
– Subjects are not trusted because they may
have Trojan Horses embedded in the code
they execute
 Covert channels are typically noisy but
information theory techniques can be
used to achieve error-free
communication
15
Limitations of BLP
 only deals with confidentiality, not integrity
– Confidentiality is not important as integrity in
many situations
– Limits the access and sharing of information
 assumes a fixed rights
– assumes tranquillity
– no model for access management
– no model for policy making
 allows convert channels
16
More on multi-level security
 Used as attributes of both subjects &
objects
– clearance & classification
 Typical military security levels:
– top secret ≥ secret ≥ confidential ≥
unclassified
 Typical commercial security levels
– restricted ≥ proprietary ≥ sensitive ≥ public

Taken from slides of Ninghui Li at Purdue University 17

Security categories
 Also known as compartments
 Typical military security categories
– army, navy, air force
– nato, nasa, noforn
 Typical commercial security categories
– Sales, R&D, HR
– Dept A, Dept B, Dept C

18
 Security labels


19
Example

20
 A lattice we could work with…
(pri, {P,E})

(pri, {P}) (pri, {E})

(pri, {∅})

(pub, {P,E})

(pub, {P}) (pub, {E})

See Haase diagrams (pub, {∅}) 21

22
Biba integrity model
 In BLP: no-read-up and no-write-down for
confidentiality.
– But: write-up and read-down can introduce integrity
problems.
 Biba proposed a class of integrity models with the
opposite rules:
– Mandatory integrity model: no-read-down and no-write-
up.
– Relax no-read-down (“subject low watermark
property”): Allow a subject to read down, but first lower
its integrity level to that of the object being read.
– Relax no-write-up (“object low watermark property”):
Lower object level to that of subject doing the write.
23
Taken from slides of Alessandro Armando
 Addresses integrity in terms of access by
subjects to objects using a model similar to
that of BLP.
– A lattice (L, ≤) of security levels.
– fs : S → L and fo : O → L assign integrity levels to
subjects and objects.
– Information may only flow downwards in the
integrity lattice.
 Unlike BLP, there is no single high-level
integrity policy but rather a variety of policies
– Static integrity levels.
– Dynamic integrity levels
– Policies for invocation 24
Static integrity levels
 Policies where integrity levels never
change (mirroring BLP’s tranquility)
 No write up: s can modify o iff fs(s) ≥ fo(o)
 No read down: s can read o iff fo(o) ≥ fs(s)

25
Dynamic integrity levels
 Subject low watermark property: relax no-
read-down. Allow a subject to read down,
but first lower its integrity level to that of the
object being read. Write operations are
constrained according to the no-write-up
principle.
 Object low watermark property: relax no-
write-up. Lower object level to that of
subject doing the write. Read operations are
constrained according to the no-read-down
principle 26
Subject low watermark property
 s can read an o at any integrity level
 The new integrity level of s is greatest
lower bound of fs (s) and fs(o), where
fs(s) and fo(o) are the integrity levels
before the operation.

27
Object low watermark property
 s can modify an o at any integrity level.
 The new integrity level of o is greatest
lower bound of fs (s) and fs(o), where
fs(s) and fo(o) are the integrity levels
before the operation.

28
Advantages
 Simple and easy to implement
 Provides a number of different policies
that can be selected based on need

29
Disadvantages
 Does not support confidentiality.
 Doesn’t support the granting and
revocation of authorization.
 Problematic for use in network
environment: need labelling of integrity
for both objects and subjects, and to
date, no network protocol supports this
labelling

30
The Chinese Wall Model
 Hybrid model: addresses integrity and
confidentiality
 Addresses conflict of interest
– Models a consultancy business where
analysts have to make sure that no
conflicts arise when dealing with different
clients (companies)
– Conflicts arise when clients are direct
competitors in the same market, or
because of the ownership of companies
31
Model elements
 A set of subjects S: active entities
interested in accessing protected objects
 A set of companies C
 A set of objects O:
– individual data items, each about a company
– The objects concerning the same company are
called company datasets (DS)
– The function y: O -> C gives the company
dataset for each object
 The function x: O -> L(C) gives the conflict
32
of interest classes for each object
 The security label of an object o is the
pair (x(o), y(o))
 An object is sanitised if x(o) is empty
 Conflicts of interest may also arise from
objects that have been accessed in then
past.
 Let N(s,o) be true, if subject s has had
access to object o, and false, if subject
s never had access to object o

33
ss- property
 A subject s is granted access to an
object o only if for all objects o’ with
N(s,o’)=true: either y(o) = y(o’) or y(o)
does not belong to x(o’)
 That is, access is granted only if the
object requested belongs to:
– a company dataset already held by the
subject (the analyst), or
– an entirely different conflict of interest
class. 34
Star property
 A subject s is granted write access to an
object o only if s has no read access to
an object o’ with y(o)≠y(o’) and x(o’) is
not empty
 That is, write access to an object is only
granted if no other object can be read
which is in a different company dataset
and contains unsanitised information.

35
 The Chinese Wall Model
 Not a true multi-level secure model
 The history of a subject’s access
determines access control
 Subject are only allowed access to info that
is not held to conflict with any other info
they already possess
 Once a subject accesses info from one
dataset, a wall is set up to protect info in
other datasets in the same conflict of
interest 36
Figure 27.6 in the book 37