Security ECS 289M
Popular in Course
Popular in Engineering Computer Science
This 17 page Class Notes was uploaded by Ashleigh Dare on Tuesday September 8, 2015. The Class Notes belongs to ECS 289M at University of California - Davis taught by Staff in Fall. Since its upload, it has received 29 views. For similar materials see /class/187797/ecs-289m-university-of-california-davis in Engineering Computer Science at University of California - Davis.
Reviews for Security
Report this Material
What is Karma?
Karma is the currency of StudySoup.
You can buy or earn more Karma at anytime and redeem it for class notes, study guides, flashcards, and more!
Date Created: 09/08/15
ECS 289M Lecture 11 April 24 2006 Requirements of Policies Users will not write their own programs but will use existing production programs and databases Programmers will develop and test programs on a nonproduction system ifthey need access to actual data they will be given production data via a special process but will use it on their development system A special process must be followed to install a program from the development system onto the production system The special process in requirement 3 must be controlled and audited The managers and auditors must have access to both the system state and the system logs that are generated April 24 2006 ECS 289M Foundations of Computer Slide 2 and Information Security En es CDls constrained data items Data subject to integrity controls UDls unconstrained data items Data not subject to integrity controls lVPs integrity veri cation procedures Procedures that test the CDls conform to the integrity constraints TPs transaction procedures Procedures that take the system from one valid state to another April 24 2006 ECS 289M Foundations of Computer Slide 3 and Information Security Certification Rules 1 and 2 CR1 When any IVP is run it must ensure all CDls are in a valid state CR2 For some associated set of CDls a TP must transform those CDls in a valid state into a possibly different valid state De nes relation certi edthat associates a set of CDls with a particular TP Example TP balance CDls accounts in bank example April 24 2006 ECS 289M Foundations of Computer Slide 4 and Information Security Enforcement Rules 1 and 2 ER1 The system must maintain the certi ed relations and must ensure that only TPs certi ed to run on a CDI manipulate that CDI ER2 The system must associate a user with each TP and set of CDls The TP may access those CDls on behalf of the associated user The TP cannot access that CDI on behalf of a user not associated with that TP and CDI System must maintain enforce certified relation System must also restrict access based on user ID allowed relation April 24 2006 ECS 289M Foundations of Computer Slide 5 and Information Security Users and Rules CR3 The allowed relations must meet the requirements imposed by the principle of separation of duty ER3 The system must authenticate each user attempting to execute a TP Type of authentication unde ned and depends on the instantiation Authentication not required before use of the system but is required before manipulation of CDls requires using TPs April 24 2006 ECS 289M Foundations of Computer Slide 6 and Information Security Logging CR4 All TPs must append enough information to reconstruct the operation to an appendonly CDI This CDI is the log Auditor needs to be able to determine what happened during reviews of transactions April 24 2006 ECS 289M Foundations of Computer Slide 7 and Information Security Handling Untrusted Input CR5 Any TP that takes as input a UDI may perform only valid transformations or no transformations for all possible values of the UDI The transformation either rejects the UDI or transforms it into a CDI In bank numbers entered at keyboard are UDls so cannot be input to TPs TPs must validate numbers to make them a CDI before using them if validation fails TP rejects UDI April 24 2006 ECS 289M Foundations of Computer Slide 8 and Information Security Separation of Duty In Model ER4 Only the certifier of a TP may change the list of entities associated with that TP No certifier of a TP or of an entity associated with that TP may ever have execute permission with respect to that entity Enforces separation of duty with respect to certified and allowed relations April 24 2006 ECS 289M Foundations of Computer Slide 9 and Information Security Comparison With Requirements 1 Users can t certify TPs so CR5 and ER4 enforce this 2 Procedural so model doesn t directly cover it but special process corresponds to using TP No technical controls can prevent programmer from developing program on production system usual control is to delete software tools 3 TP does the installation trusted personnel do certification April 24 2006 ECS 289M Foundations of Computer Slide 10 and Information Security Comparison With Requirements 4 CR4 provides logging ER3 authenticates trusted personnel doing installation CR5 ER4 control installation procedure New program UDI before certi cation CDI and TP after 5 Log is CDI so appropriate TP can provide managers auditors access Access to state handled similarly April 24 2006 ECS 289M Foundations of Computer Slide 11 and Information Security Comparison to BIba Bi ba No notion of certi cation rules trusted subjects ensure actions obey rules Untrusted data examined before being made trusted ClarkWilson Explicit requirements that actions must meet Trusted entity must certify method to upgrade untrusted data and not certify the data itself April 24 2006 ECS 289M Foundations of Computer Slide 12 and Information Security Chinese Wall Model Problem Tony advises American Bank about investments He is asked to advise Toyland Bank about investments Conflict of interest to accept because his advice for either bank would affect his advice to the other bank April 24 2006 ECS 289M Foundations of Computer Slide 13 and Information Security Organization Organize entities into conflict of interest classes Control subject accesses to each class Control writing to all classes to ensure information is not passed along in violation of rules Allow sanitized data to be viewed by everyone April 24 2006 ECS 289M Foundations of Computer Slide 14 and Information Security Definitions Objects items of information related to a company Company dataset CD contains objects related to a single company Written CDO Con ict of interest class COI contains datasets of companies in competition Written 000 Assume each object belongs to exactly one 00 class April 24 2006 ECS 289M Foundations of Computer Slide 15 and Information Security Bank COI Class Gasoline Company COI Class Bank of Amelica Shell Oil Standard Oil Union 76 ARCO Citibank Bank of the West April 24 2006 ECS 289M Foundations of Computer Slide 16 and Information Security Temporal Element If Anthony reads any CD in a COI he can never read another CD in that COI Possible that information learned earlier may allow him to make decisions later Let PRS be set of objects that S has already read April 24 2006 ECS 289M Foundations of Computer Slide 17 and Information Security CW Simple Security Condition s can read 0 iff either condition holds 1There is an o such that s has accessed o and CDo CDo Meaning 3 has read something in 0 s dataset 2For all 0 6 0 0 6 PRs gt COo 7t COo Meaning 3 has not read any objects in 0 s con ict of interest class Ignores sanitized data see below Initially PRs Q so initial read request granted April 24 2006 ECS 289M Foundations of Computer Slide 18 and Information Security Sanitization Public information may belong to a CD As is publicly available no con icts of interest anse So should not affect ability of analysts to read Typically all sensitive data removed from such information before it is released publicly called sanitizeron Add third condition to CW Simple Security Condition 3 o is a sanitized object April 24 2006 ECS 289M Foundations of Computer Slide 19 and Information Security Writing Anthony Susan work in same trading house Anthony can read Bank 1 s CD Gas CD Susan can read Bank 2 s CD Gas CD If Anthony could write to Gas CD Susan can read it Hence indirectly she can read information from Bank 1 s CD a clear conflict of interest April 24 2006 ECS 289M Foundations of Computer Slide 20 and Information Security CW Property s can write to 0 iff both of the following hold 1 The CW simple security condition permits 3 to read 0 and 2 For all unsanitized objects 0 ifs can read 0 then CDo CDo Says that s can write to an object if all the unsanitized objects it can read are in the same dataset April 24 2006 ECS 289M Foundations of Computer Slide 21 and Information Security Formalism Goal figure out how information flows around system 8 set of subjects 0 set of objects L CxD set of labels l1O gtC maps objects to their COI classes l2O gtD maps objects to their CDs Hs 0 true iff s has or had read access to o Rs o s s request to read 0 April 24 2006 ECS 289M Foundations of Computer Slide 22 and Information Security Axioms Axiom 71 For all 0 06 0 if 20 200 then 10 10 CDs do not span COls Axiom 72 s E S can read 0 E 0 iff for all 06 0 such that Hs 00 either Moi at 10 or I2ol I2o s can read 0 iff o is either in a different COI than every other o that s has read or in the same CD as 0 April 24 2006 ECS 289M Foundations of Computer Slide 23 and Information Security More Axioms Axiom 73 Hs o for all s E S and o E O is an initially secure state Description of the initial state assumed secure Axiom 74 If for some 3 E S and all 0 E O Hs 0 then any request Rs o is granted If s has read no object it can read any object April 24 2006 ECS 289M Foundations of Computer Slide 24 and Information Security Which Objects Can Be Read Suppose s E S has read 0 E 0 If s can read 0 6 0 0 i 0 then l1o t 10 or 20 l2o Says 3 can read only the objects in a single CD within any COI April 24 2006 ECS 289M Foundations of Computer Slide 25 and Information Security Proof Assume false Then Hs o A Hs o A 10 10 A 20 75 20 Assume 3 read 0 rst Then Hs 0 when 3 read 0 so by Axiom 7 2 either 10 at 10 or 20 20 so 010 75 10 V 50 20 A 010 10 A l20 7 5 20 Rearranging terms 010 75 10 A l20 7 5 20A 10910 V 020 20 A 20 75 20 A 10 1 which is obviously false contradiction April 24 2006 ECS 289M Foundations of Computer Slide 26 and Information Security Lemma Suppose a subject s E S can read an object o E 0 Then s can read no o for which l1o 10 and 20 t l2o So a subject can access at most one CD in each COI class Sketch of proof Initial case follows from Axioms 73 74 If 0 i o theorem immediately gives lemma April 24 2006 ECS 289M Foundations of Computer Slide 27 and Information Security COIs and Subjects Theorem Let c E C and d E D Suppose there are n objects 0 E 01 5 is n such that 1o d for 1 S is n and 2o 15 2oJ for 1 S ij S n i i j Then for all such 0 there is an s E S that can read 0 iffn S S If a COI has n CDs you need at least n subjects to access every object Proof sketch If s can read 0 it cannot read any o in another CD in that COI Axiom 72 As there are n such CDs there must be at least n subjects to meet the conditions of the theorem April 24 2006 ECS 289M Foundations of Computer Slide 28 and Information Security Sanitized Data vo sanitized version of object o For purposes of analysis place them all in a special CD in a COI containing no other CDs Axiom 75 110 l1vo iff 120 2v0 April 24 2006 ECS 289M Foundations of Computer Slide 29 and Information Security Which Objects Can Be Written Axiom 76 s E S can write to o E 0 iff the following hold simultaneously 1 Hs o 2 There is no 0 6 0 with Hs 0 20 at 20 20 at 2V0 203 2V0 Allow writing iff information cannot leak from one subject to another through a mailbox Note handling for sanitized objects April 24 2006 ECS 289M Foundations of Computer Slide 30 and Information Security How Information Flows Definition information may flow from o to o if there is a subject such that Hs o and Hs o Intuition ifs can read 2 objects it can act on that knowledge so information flows between the objects through the nexus of the subject Write the above situation as o 09 April 24 2006 ECS 289M Foundations of Computer Slide 31 and Information Security Key Result Set of all information ows is o o o E O A 0 6 0 A 20 20 v 20 l2vo Sketch of proof Definition gives set of ows F o o 06 O A 0 6 0 A El 56 Ssuch that Hs o A Hs o Axiom 76 excludes the following ows x o o 06 o A 0 6 0 A 20 2 50 A 20 2 l2vo So letting F be transitive closure of F F X o o 06 o A 0 6 0 A u2o 2 20 A 2o 7 5 2vo which is equivalent to the claim April 24 2006 ECS 289M Foundations of Computer Slide 32 and Information Security Compare to BellLaPadula Fundamentally different CW has no security labels BLP does CW has notion of past accesses BLP does not BellLaPadula can capture state at any time Each COI CD pair gets security category Two clearances S sanitized and U unsanitized S dom U Subjects assigned clearance for compartments without multiple categories corresponding to CDs in same COI class April 24 2006 E08 289M Foundations of Computer Slide 33 and Information Security Compare to BellLaPadula BellLaPadula cannot track changes over time Susan becomes ill Anna needs to take over CW history lets Anna know if she can No way for BellLaPadula to capture this Access constraints change over time Initially subjects in C W can read any object BellLaPadula constrains set of objects that a subject can access Can t clear all subjects for all categories because this violates CW simple security condition April 24 2006 E08 289M Foundations of Computer Slide 34 and Information Security
Are you sure you want to buy this material for
You're already Subscribed!
Looks like you've already subscribed to StudySoup, you won't need to purchase another subscription to get this material. To access this material simply click 'View Full Document'