Confidentiality Policies Overview What is a confidentiality model

  • Slides: 15
Download presentation
Confidentiality Policies • Overview – What is a confidentiality model • Bell-La. Padula Model

Confidentiality Policies • Overview – What is a confidentiality model • Bell-La. Padula Model – General idea – Informal description of rules Introduction to Computer Security © 2004 Matt Bishop Slide #5 -1

Confidentiality Policy • Goal: prevent the unauthorized disclosure of information – Deals with information

Confidentiality Policy • Goal: prevent the unauthorized disclosure of information – Deals with information flow – Integrity incidental • Multi-level security models are best-known examples – Bell-La. Padula Model basis for many, or most, of these Introduction to Computer Security © 2004 Matt Bishop Slide #5 -2

Bell-La. Padula Model, Step 1 • Security levels arranged in linear ordering – Top

Bell-La. Padula Model, Step 1 • Security levels arranged in linear ordering – Top Secret: highest – Secret – Confidential – Unclassified: lowest • Levels consist of security clearance L(s) – Objects have security classification L(o) Introduction to Computer Security © 2004 Matt Bishop Slide #5 -3

Example Security level Subject Object Top Secret Tamara Personnel Files Secret Samuel E-Mail Files

Example Security level Subject Object Top Secret Tamara Personnel Files Secret Samuel E-Mail Files Confidential Claire Activity Logs Unclassified James Telephone Lists • Tamara can read all files • Claire cannot read Personnel or E-Mail Files • James can only read Telephone Lists Slide #5 -4

Notation • L(S)=ls security clearance of subject S • L(O)=lo security classification of object

Notation • L(S)=ls security clearance of subject S • L(O)=lo security classification of object O • For all classification li = 0, …, k-1, li<li+1 Introduction to Computer Security © 2004 Matt Bishop Slide #5 -5

Reading Information • “Reads up” disallowed, “reads down” allowed • Simple Security Condition (Step

Reading Information • “Reads up” disallowed, “reads down” allowed • Simple Security Condition (Step 1) – Subject s can read object o iff L(o) ≤ L(s) and s has permission to read o • Note: combines mandatory control (MAC) and discretionary control (DAC) – Sometimes called “no reads up” rule Introduction to Computer Security © 2004 Matt Bishop Slide #5 -6

Writing Information • Information flows up, not down – “Writes up” allowed, “writes down”

Writing Information • Information flows up, not down – “Writes up” allowed, “writes down” disallowed • *-Property (Step 1) – Subject s can write object o iff L(s) ≤ L(o) and s has permission to write o • Combines mandatory control (relationship of security levels) and discretionary control (the required permission) – Sometimes called “no writes down” rule Introduction to Computer Security © 2004 Matt Bishop Slide #5 -7

Basic Security Theorem, Step 1 • If a system is initially in a secure

Basic Security Theorem, Step 1 • If a system is initially in a secure state, and every transition of the system satisfies the simple security condition and the *property, then every state of the system is secure – Proof: induct on the number of transitions Introduction to Computer Security © 2004 Matt Bishop Slide #5 -8

Bell-La. Padula Model, Step 2 • Expand notion of security level to include categories

Bell-La. Padula Model, Step 2 • Expand notion of security level to include categories • Security level is (clearance, category set) • Examples – (Top Secret, {NUC, EUR, ASI}) – (Confidential, {EUR, ASI) – (Secret, {NUC, ASI }) Introduction to Computer Security © 2004 Matt Bishop Slide #5 -9

The Lattice Hierarchy Introduction to Computer Security © 2004 Matt Bishop Slide #5 -10

The Lattice Hierarchy Introduction to Computer Security © 2004 Matt Bishop Slide #5 -10

Dominate (dom) Relationship • Captures the combination of security classification and category set •

Dominate (dom) Relationship • Captures the combination of security classification and category set • (A, C) dom (A , C ) iff A ≤ A and C C • Examples – (Top Secret, {NUC, ASI}) dom (Secret, {NUC}) – (Secret, {NUC, EUR}) dom (Confidential, {NUC, EUR}) – (Top Secret, {NUC}) dom (Confidential, {EUR}) Introduction to Computer Security © 2004 Matt Bishop Slide #5 -11

An Example of dom Relationship • George is cleared into security level (S, {NUC,

An Example of dom Relationship • George is cleared into security level (S, {NUC, EUR}) • Doc. A is classified as (C, {NUC}) • Doc. B is classified as (S, {EUR, US}) • Doc. C is classified as (S, {EUR}) • George dom Doc. A • George dom Doc. B • George dom Doc. C Introduction to Computer Security © 2004 Matt Bishop Slide #5 -12

Reading Information - New • Information flows up, not down – “Reads up” disallowed,

Reading Information - New • Information flows up, not down – “Reads up” disallowed, “reads down” allowed • Simple Security Condition (Step 2) – Subject s can read object o iff L(s) dom L(o) and s has permission to read o • Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) – Sometimes called “no reads up” rule Introduction to Computer Security © 2004 Matt Bishop Slide #5 -13

Writing Information - New • Information flows up, not down – “Writes up” allowed,

Writing Information - New • Information flows up, not down – “Writes up” allowed, “writes down” disallowed • *-Property (Step 2) – Subject s can write object o iff L(o) dom L(s) and s has permission to write o • Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) – Sometimes called “no writes down” rule Introduction to Computer Security © 2004 Matt Bishop Slide #5 -14

Key Points • Confidentiality models restrict flow of information • Bell-La. Padula models multilevel

Key Points • Confidentiality models restrict flow of information • Bell-La. Padula models multilevel security – Cornerstone of much work in computer security Introduction to Computer Security © 2004 Matt Bishop Slide #5 -15