Lecture 10: Security models and policy

1
Lecture 10 Security models and policy

• In this lecture we will cover
• Introduction to lattice based models
• Bell-La Padula model/policy
• Biba model/policy
• Harrison-Ruzzo-Ullman (HRU) model/policy

2
Lattice based models

• an important group of models are based on the
  concept of a lattice
• Lattices are defined by a partial ordering of
  items from some set e.g. 1, 2, 3, 4, 5, 6, 10,
  12, 15, 20, 30, 60
• an example of a partial ordering is the relation
  of X being a factor of Y i.e. Y is divisible by X
  giving an integer result or KX Y, where K is
  an integer e.g. 4 is a factor of 60 15460),
  and so is 2 30260 and so are many others
• when discussing partial orders the relation
  operation is normally represented by lt even if
  less than or equals in not the operation that is
  being used

3

• a partial ordering is an ordering of elements in
  a set defined by a relation between the items of
  the set that is
• 1. antisymmetric - if a lt b and b lt a, then ab
  e.g. if a is a factor of b and b is a factor of
  a then ab 12 is a factor of 12 and 1212
• 2. transitive - if a lt b and b lt c, then a lt c
  e.g. if a is a factor of b and b is a factor of c
  then a is a factor of c 2 is a factor of 6 and 6
  is a factor of 12 then 2 is a factor of 12
• 3. reflexive - alta e.g. a is a factor of itself
  20 is a factor of 20

4

• in a total ordering for each pair of elements in
  the set either altb or blta, but in a partial
  ordering there may be some pairs of elements for
  which neither altb or blta e.g. 4 is a factor of
  60 and 5 is a factor of 60, but 4 is not a factor
  of 5 or 5 of 4
• a lattice is a set of elements that have been
  ordered by a partial ordering, but ALSO in
  addition
• for every pair of elements in the set there is a
  greatest lower bound (glb) and and least upper
  bound (lub)

5

• every element x for which a lt x and blt x, then
  x is said to be an upper bound of a and b e.g.
  for 4 and 20, 60 is an upper bound 4 is a factor
  of 60 and 20 is a factor of 60
• every element x for which x lt a and x lt b is
  said to be a lower bound of a and b e.g. for 4
  and 20, 2 is a lower bound 2 is a factor of 4
  and 2 is a factor of 20

6

• a greatest lower bound for a and b is an element
  x for which x lt a and x lt b, but where all
  other lower bounds are lt x e.g. for 4 and 20, 4
  is the greatest lower bound 1, 2 and 4 (4lt4)
  are a lower bounds and 1 lt4 and 2lt4
• least upper bound for a and b is an element x for
  which a lt x and b lt x, but which is lt all
  other elements that are upper bounds e.g. for 4
  and 20, 20 is the least upper bound 20, 40, 60
  are upper bounds and 20 lt40 and 20lt60

7

• lattices are often depicted using a graph like
  that over the page - showing lattice based on
  partial ordering is a factor of over set of
  numbers 1, 2, 3, 4, 5, 6, 10, 12, 15, 20, 30,
  60
• NOTE - a line going from an element A to element
  B where A lt B indicates that A is the Greatest
  Lower Bound of the pair A,B and B is the Least
  Upper Bound of the pair A,B
• AND
• no other number C exists such that AltC and CltB
  i.e. the graph effectively shows nearest
  neighbours in the partial order

8
(No Transcript)
9

• Characteristics of a lattice are that
• 1. every element either has an element above them
  or they are the top of the lattice or they have
  an element below them or they are the bottom of
  the lattice
• 2. a lattice has only one element that is at the
  top and one element that is at the bottom
• lattices can be used to represent authority
  relationships
• compartments and security levels can be modelled
  as a lattice with the notion of dominance being
  the partial ordering relation

10

• For example a system with 2 security levels -
  public and private and 2 compartments - personnel
  and engineering
• the set of possible security classes i.e. the set
  of possible combinations of the pairs of security
  levels and compartment lists is
• public, ltgt
• public, ltEngineeringgt
• public, ltPersonnelgt
• public, ltEngineering, Personnelgt
• private, ltgt
• private, ltEngineeringgt
• private, ltPersonnelgt
• private, ltEngineering, Personnelgt

11

• remember A is dominated by B means item with
  classification A can be accessed by subject with
  clearance B represented by A lt B
• the dominance relations that hold between the
  classes is given below
• i) public, ltPersonnelgt lt private,
  ltPersonnelgt i.e. private clearance permits
  access to public and private in the same
  compartment
• ii) public, ltPersonnelgt lt public,
  ltEngineering, Personnelgt i.e. a clearance with
  given compartments allows clearance to access any
  single compartment in the list at the same or
  lower security level
• iii) public, ltPersonnelgt NOT lt private,
  ltEngineeringgt i.e. a clearance for a given list
  of compartments does not allow access to
  compartments not in the list whatever the
  security level

12
Example lattice representation
13
Bell-La Padula model/policy (BLP)

• this model/policy emphasises the protection of
  confidentiality
• it models the allowable information flow in a
  system
• used to define security requirements for systems
  handling information of differing sensitivity
  levels

14

• Model
• 1. a set of access rights - organised as an ACM
• 2. set of subjects - each of whom has a security
  class (clearance level)
• 3. set of objects - again each has a security
  class (classification level)
• 4. there is a partial ordering over the security
  classes i.e. there is a hierarchical relationship
  between the security classes with a single top
  level that has highest clearance and where
  information is most sensitive and with a single
  bottom level (e.g. publicly published
  information) that has a lowest clearance (anybody
  can have it) and sensitivity level

15

• in other words characteristics of a lattice
  structure
• Policy - this is represented by 2 properties that
  should be enforced if the system is to be secure
• Warning - the way these are normally presented in
  the literature can be quite confusing because it
  uses the words read for receive information and
  write for send information

16

• simple security property subject S can read O
  only if security class of O is lt security class
  of S translation S can receive information from
  O only if security class of S is greater than or
  equal to that of O
• sounds reasonable - this is also known as a no
  read-up policy - meaning no entity can
  read(receive information classed at) a higher
  security level

17

• -property Subject S can write (send/pass on
  information) to object P only if other objects O
  that S can read (receive information from) have a
  lower or at most equal security class to object P
  translation S can send information to P only if
  S can not receive information from entities with
  higher security level than P
• cannot send information to entities that have a
  lower security level than the maximum level at
  which S can receive information - also known as a
  no write down policy - meaning no entity can
  write (send information classed at any level) to
  a lower security level

18

• quite unreasonable in realistic settings - it
  essentially means that entities at a higher
  security level cannot pass on information even
  that classified at a lower security level at all
  e.g. the boffins working on the top secret
  project cannot talk to the catering staff even if
  it is to order their food
• it means that there is no channel by which
  information can flow from higher levels to lower
  - thus secure but impractical - you must be able
  to pass on lower classified information to
  subordinates - how else can anything get done -
  order passed on etc. - it may be secure but???

19

• There are 2 methods to escape from the -property
• 1. temporarily downgrade a high-level subject
• 2. identify a set of subject who are allowed to
  violate the -property - these would be trusted
  subjects
• If all subjects were at the same security level
  and all objects were at the same security level
  and total access permissions were granted on each
  object for each subject - everyone could access
  and modify anything - this would appear to be a
  system that lacks security

20

• But one criticism of the BLP policy is the above
  is consistent with both the simple security
  property and the more draconian -property
• Thus how can such a policy claim to define a
  secure system
• the response to that criticism is that if the
  needs of the system are such that everyone should
  have complete access to everything, then the
  security policy should permit that, strange
  though that might seem i.e. It is not insecure if
  the owners of the system want it that way

21

• it is also an issue that users and objects once
  they acquire a security level cannot have that
  security level changed without violating the
  policy - the requirement that security levels and
  access rights never change is known as
  tranquillity
• BLP played an important role in the development
  of security in early operating systems that lead
  to the development of ACLs, etc.
• however, it only focuses on confidentiality -
  information flows and ignores integrity issues
  and denial of service

22
Biba model/policy

• the Biba model/policy attempts to address the
  needs of integrity rather than confidentiality
• the model is structured in the same way BLP with
  subjects, objects and an ACM, the security levels
  are named Integrity levels
• it is effectively a complement to BLP
• the policy also mirrors the confidentiality
  properties of the BLP policy
• to confuse matters Biba uses read and write, but
  differently from BLP - it uses more traditional
  sense

23

• Policy is based on properties like BLP
• simple integrity property subject S can write
  to (modify) O only if Integrity (security) level
  of S is gt Integrity (security) level of O
  translation - S cannot modify O if O is at a
  higher security level than S
• also known as no write up

24

• Integrity -property subject S can write to
  (modify) P only if other objects S can read are
  at the same or higher integrity level than P
  translation - S cannot modify an object unless S
  can read objects at that security level or
  higher
• No standard also known as for this property but
  we can call it - no write unless you can read
• Biba policy is trying to protect a system against
  untrustworthy sources of information and
  modification

25
Procedure based models

• a criticism of BLP and Biba is that they only
  model the static situation of a set of
  users.objects and access rights, it does not
  attempt to model the more dynamic situation where
  access rights may change and objects may be
  created and destroyed, etc,
• they do not model the transformations in the
  security situation
• the following model may be called procedural
  because it attempts to model processes by which
  security situation changes

26
Harrison-Ruzzo-Ullman (HRU)

• model has a set of subjects, objects, and access
  rights held in an Access Control Matrix (ACM) -
  note however that in HRU ACM subjects are also
  treated as objects
• but in addition there are a set of 6 primitive
  operations
• create subject s
• create object o
• delete subject s
• delete object o
• enter right r into ACM for s and o
• delete right r from ACM for s and o

27

• from these primitives commands can be constructed
• structure of a command is
• command name(o1, ....oi....on)
• if r1 in ACMs1,o1 and
• if r2 in ACMs2,o2 .......
• ..............
• then
• op1
• op2
• .............
• End

28
example command

• s1 grants read access to s2 to file1
• command grant-read(s1,s2,file1)
• if owner in ACMs1,file1
• then enter read in ACMS2,file1
• end
• in HRU a protection system is a collection of
  subjects, objects, rights and commands

29

• this model can be used to model a number of real
  protection mechanisms
• Use of HRU has produced 2 significant general
  results
• 1. if commands in a system are restricted to
  commands which guard (through the conditions) the
  execution of single primitive operations, then it
  is possible to determine whether a given subject
  can ever obtain a particular right to an object -
  so we can determine whether some person who
  should not have access actually gets access to
  some object

30

• 2. if commands in a system are unrestricted i.e.
  The conditions guard the execution of multiple
  primitive operations, it is impossible for every
  case to determine whether a given protection
  system can confer a given right on an individual
  - so we can never be sure whether the system is
  successful in providing the protection we need
• however, it may be possible for some cases
  (quite a large number) to determine this, but we
  can never do so in general