SECURITY POLICIES Security Policies Types of Security Policies

  • Slides: 31
Download presentation
SECURITY POLICIES Security Policies Types of Security Policies The Role of Trust Types of

SECURITY POLICIES Security Policies Types of Security Policies The Role of Trust Types of Access Control

SECURITY POLICY Definition: a security policy is a statement that partitions system states into:

SECURITY POLICY Definition: a security policy is a statement that partitions system states into: Authorized (secure) These are states the system can enter Unauthorized (nonsecure) If the system enters any of these states, it’s a security violation

SECURE SYSTEM Definition: a secure system is a system Starts in authorized state Never

SECURE SYSTEM Definition: a secure system is a system Starts in authorized state Never enters unauthorized state http: //www. blog. transmac. eu/wp-content/uploads/2015/06/secure-system-3 -big. jpg

BREACH OF SECURITY t 1 s 2 t 4 s 3 t 5 s

BREACH OF SECURITY t 1 s 2 t 4 s 3 t 5 s 4 t 3 Definition: when a system enters an unauthorized state.

DEFINITION: CONFIDENTIALITY X set of entities, I information I has confidentiality property with respect

DEFINITION: CONFIDENTIALITY X set of entities, I information I has confidentiality property with respect to X if no x X can obtain information from I I can be disclosed to others Example: X set of students I final exam answer key I is confidential with respect to X if students cannot obtain final exam answer key

INTEGRITY X set of entities, I information I has integrity property with respect to

INTEGRITY X set of entities, I information I has integrity property with respect to X if all x X trust information in I Types of integrity: trust I, its conveyance and protection (data integrity) I information about origin of something or an identity (origin integrity, authentication) I resource: means resource functions as it should (assurance)

AVAILABILITY X set of entities, I resource I has availability property with respect to

AVAILABILITY X set of entities, I resource I has availability property with respect to X if all x X can access I Types of availability: traditional: x gets access or not quality of service: promised a level of access (for example, a specific level of bandwidth) and not meet it, even though some access is achieved, e. g. service is not provided in a timely manner;

MECHANISM A security mechanism is an entity or procedure that enforces some part of

MECHANISM A security mechanism is an entity or procedure that enforces some part of the security policy; Example: Policy: the statement that no student may copy another student’s homework; Mechanism: file access control; set permission to prevent access to a particular file;

TYPES OF SECURITY POLICIES Definition: Military (governmental) security policy Policy primarily protecting confidentiality; Example:

TYPES OF SECURITY POLICIES Definition: Military (governmental) security policy Policy primarily protecting confidentiality; Example: information about a military mission; Definition: Commercial security policy Policy primarily protecting integrity Confidentiality: leak of customer account information; Integrity: modification of customer account balance;

TYPES OF SECURITY POLICIES Definition: Confidentiality policy Policy protecting only confidentiality Definition: Integrity policy

TYPES OF SECURITY POLICIES Definition: Confidentiality policy Policy protecting only confidentiality Definition: Integrity policy Policy protecting only integrity

TYPES OF ACCESS CONTROL Discretionary individual user sets access control mechanism to allow or

TYPES OF ACCESS CONTROL Discretionary individual user sets access control mechanism to allow or deny access to an object Mandatory Access Control (MAC) system mechanism controls access to object, and individual cannot alter that access Originator Access Control (DAC, IBAC) Controlled Access Control (ORCON) originator (creator) of information controls who can access information

TYPES OF ACCESS CONTROL Discretionary Access Control (DAC, IBAC)

TYPES OF ACCESS CONTROL Discretionary Access Control (DAC, IBAC)

TYPES OF ACCESS CONTROL Mandatory Access Control (MAC) system mechanism controls access to object,

TYPES OF ACCESS CONTROL Mandatory Access Control (MAC) system mechanism controls access to object, and individual cannot alter that access

TYPES OF ACCESS CONTROL Originator Controlled Access Control (ORCON) originator (creator) of information controls

TYPES OF ACCESS CONTROL Originator Controlled Access Control (ORCON) originator (creator) of information controls who can access information; Micro. Soft sold you a software: now you are the owner and Micro. Soft is the Originator; You, as the owner, can not distribute the software to others; Micro. Soft, the originator, decides who can access the software;

DAC VS ORCON Is the Owner the same as the Originator? If yes, then

DAC VS ORCON Is the Owner the same as the Originator? If yes, then it is DAC; If no, then it is ORCON; In other words, has the originator passed the data to another person? If the originator still owns the data, then it is DAC; otherwise, it is ORCON;

CONFIDENTIALITY POLICIES Overview What is a confidentiality model Bell-La. Padula Model General idea Informal

CONFIDENTIALITY POLICIES Overview What is a confidentiality model Bell-La. Padula Model General idea Informal description of rules

CONFIDENTIALITY POLICY Also called Information Flow Policy; Goal: prevent the unauthorized disclosure of information

CONFIDENTIALITY POLICY Also called Information Flow Policy; Goal: prevent the unauthorized disclosure of information Deals with information flow; Unauthorized alteration of information (integrity) is secondary; Multi-level security models are best-known examples Bell-La. Padula Model basis for many, or most, of these

BELL-LAPADULA MODEL, STEP 1 Security levels arranged in linear ordering Top Secret: highest Secret

BELL-LAPADULA MODEL, STEP 1 Security levels arranged in linear ordering Top Secret: highest Secret Confidential Unclassified: lowest A subject has security clearance L(S); An object has a security classification L(O);

EXAMPLE https: //image 1. slideserve. com/2402281/the-bell-lapadula-model-n. jpg

EXAMPLE https: //image 1. slideserve. com/2402281/the-bell-lapadula-model-n. jpg

READING INFORMATION Information flows up, not down “Reads up” disallowed, “reads down” allowed Simple

READING INFORMATION Information flows up, not down “Reads up” disallowed, “reads down” allowed Simple Security Condition (Preliminary Version) Subject s can read object o iff L(o) ≤ L(s) and s has permission to read o Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) Sometimes called “no reads up” rule

WRITING INFORMATION Information flows up, not down “Writes up” allowed, “writes down” disallowed *-Property

WRITING INFORMATION Information flows up, not down “Writes up” allowed, “writes down” disallowed *-Property (Star Property, Preliminary Version) Subject s can write object o iff L(s) ≤ L(o) and s has permission to write o Sometimes called “no writes down” rule

NO WRITE DOWN https: //www. happyschools. com/wp-content/uploads/2015/09/university-organization-chart. jpg

NO WRITE DOWN https: //www. happyschools. com/wp-content/uploads/2015/09/university-organization-chart. jpg

BASIC SECURITY THEOREM, STEP 1 If a system is initially in a secure state,

BASIC SECURITY THEOREM, STEP 1 If a system is initially in a secure state, and every transition of the system satisfies the simple security condition (preliminary version), and every transition of the system satisfies the and the *-property (preliminary version), then every state of the system is secure;

BELL-LAPADULA MODEL, STEP 2 College of Computing and Software Engineering Departme nt of Computer

BELL-LAPADULA MODEL, STEP 2 College of Computing and Software Engineering Departme nt of Computer Science Department of Information Technology Departme nt of Software Engineerin g

BELL-LAPADULA MODEL, STEP 2 TOP SECRET NUC EUR US CONFIDENTIAL NUC EUR US UNCLASSIFIED

BELL-LAPADULA MODEL, STEP 2 TOP SECRET NUC EUR US CONFIDENTIAL NUC EUR US UNCLASSIFIED NUC EUR US

BELL-LAPADULA MODEL, STEP 2 Security level is (clearance, category set) Examples ( Top Secret,

BELL-LAPADULA MODEL, STEP 2 Security level is (clearance, category set) Examples ( Top Secret, { NUC, EUR, US } ) ( Confidential, { EUR, US } ) ( Secret, { NUC, US } ) Examples Subject s: ( Top Secret, { NUC, EUR } ) Object o: ( Confidential, {US } ) Should s have access to o?

LEVELS Definition: (L, C) dom (L , C ) iff L ≤ L and

LEVELS Definition: (L, C) dom (L , C ) iff L ≤ L and C C Examples (Top Secret, {NUC, US}) dom (Secret, {NUC}) (Secret, {NUC, EUR}) dom (Confidential, {NUC, EUR}) (Top Secret, {NUC}) dom (Confidential, {EUR}) “dominates” serves the role of “greater than” in step 1

EXAMPLE George: (Secret, {NUC, EUR}) Doc. A: (Confidential, {NUC}) Doc. B: (Secret, {EUR, US})

EXAMPLE George: (Secret, {NUC, EUR}) Doc. A: (Confidential, {NUC}) Doc. B: (Secret, {EUR, US}) Doc. C: (Secret, {EUR}) George dom Doc. A? George dom Doc. B? George dom Doc. C?

READING INFORMATION Information flows up, not down “Reads up” disallowed, “reads down” allowed Simple

READING INFORMATION Information flows up, not down “Reads up” disallowed, “reads down” allowed Simple Security Condition (Step 2) Subject s can read object o iff L(s) dom L(o) and s has permission to read o Sometimes called “no reads up” rule

WRITING INFORMATION Information flows up, not down “Writes up” allowed, “writes down” disallowed *-Property

WRITING INFORMATION Information flows up, not down “Writes up” allowed, “writes down” disallowed *-Property (Step 2) Subject s can write object o iff L(o) dom L(s) and s has permission to write o Sometimes called “no writes down” rule

BASIC SECURITY THEOREM, STEP 2 If a system is initially in a secure state,

BASIC SECURITY THEOREM, STEP 2 If a system is initially in a secure state, and every transition of the system satisfies the simple security condition (step 2), and every transition of the system satisfies the * -property (step 2), then every state of the system is secure