Security ECS 289M
Popular in Course
Popular in Engineering Computer Science
This 14 page Class Notes was uploaded by Ashleigh Dare on Tuesday September 8, 2015. The Class Notes belongs to ECS 289M at University of California - Davis taught by Staff in Fall. Since its upload, it has received 40 views. For similar materials see /class/187797/ecs-289m-university-of-california-davis in Engineering Computer Science at University of California - Davis.
Reviews for Security
Report this Material
What is Karma?
Karma is the currency of StudySoup.
Date Created: 09/08/15
ECS 289M Lecture 10 April 21 2006 Requirements of Policies Users will not write their own programs but will use existing production programs and databases Programmers will develop and test programs on a nonproduction system ifthey need access to actual data they will be given production data via a special process but will use it on their development system A special process must be followed to install a program from the development system onto the production system The special process in requirement 3 must be controlled and audited The managers and auditors must have access to both the system state and the system logs that are generated April 21 2006 ECS 289M Foundations of Computer Slide 2 and Information Security Biba Integrity Model Basis for all 3 models Set of subjects 8 objects 0 integrity levels relation 5 Q gtlt holding when second dominates rst min x gt returns lesser of integrity levels i S U 0 gt gives integrity level of entity 1 8x OmeanssEScanreadoEO w x de ned similarly April 21 2006 ECS 289M Foundations of Computer Slide 3 and Information Security Intuition for Integrity Levels The higher the level the more con dence That a program will execute correctly That data is accurate andor reliable Note relationship between integrity and trustworthiness Important point integrity levels are not security levels April 21 2006 ECS 289M Foundations of Computer Slide 4 and Information Security Information Transfer Path An information transfer path is a sequence of objects 01 or1 and corresponding sequence of subjects 31 sn such that s r o and s w o1 for all i 1 s i s n Idea information can flow from 01 to on1 along this path by successive reads and writes April 21 2006 ECS 289M Foundations of Computer Slide 5 and Information Security LowWater Mark Policy Idea when 5 reads 0 is minis io s can only write objects at lower levels Rules 1 s E S can write to o E 0 if and only if io S is 2 If s E 8 reads 0 E 0 then i s minis io where i s is the subject s integrity level after the read 3 31 E S can execute 32 E S if and only if is2 S is1 April 21 2006 ECS 289M Foundations of Computer Slide 6 and Information Security Information Flow and Model If there is information transfer path from 01 E O to 01 E O enforcement of Iowwatermark policy requires io1 S io1 for all n gt 1 Idea of proof Assume information transfer path exists between 01 and on Assume that each read and write was performed in the order of the indices of the vertices By induction the integrity level for each subject is the minimum ofthe integrity levels for all objects preceding it in path so is S io1 As nth write succeeds io1 S is Hence row 5 01 April 21 2006 ECS 289M Foundations of Computer Slide 7 and Information Security Problems Subjects integrity levels decrease as system runs Soon no subject will be able to access objects at high integrity levels Alternative change object levels rather than subject levels Soon all objects will be at the lowest integrity level Crux of problem is model prevents indirect modification Because subject levels lowered when subject reads from lowintegrity object April 21 2006 ECS 289M Foundations of Computer Slide 8 and Information Security Ring Policy Idea subject integrity levels static Rules 1 s E S can write to o E 0 if and only if io S is 2 Any subject can read any object 3 31 E S can execute 32 E S if and only if is2 S is1 Eliminates indirect modi cation problem Same information ow result holds April 21 2006 ECS 289M Foundations of Computer Slide 9 and Information Security Strict Integrity Policy Similar to BellLaPadula model 1 sE Scan read oE O iffis Sio 2 s E S can write to o E 0 iff io S is 3 31 E S can execute 32 E 8 iff is2 S is1 Add compartments and discretionary controls to get full dual of BellLaPadula model Information ow result holds Different proof though Term Biba Model refers to this April 21 2006 ECS 289M Foundations of Computer Slide 10 and Information Security LOCUS and Biba Goal prevent untrusted software from altering data or other software Approach make levels of trust explicit credibility rating based on estimate of software s trustworthiness 0 untrusted n highly trusted trusted le systems contain software with a single credibility level Process has risk level or highest credibility level at which process can execute Must use rununtrusted command to run software at lower credibility level April 21 2006 ECS 289M Foundations of Computer Slide 11 and Information Security Integrity Matrix Model Lipner proposed this as first realistic commercial model Combines BellLaPaduIa Biba models to obtain model conforming to requirements Do it in two steps BellLaPaduIa component first Add in Biba component April 21 2006 ECS 289M Foundations of Computer Slide 12 and Information Security BellLaPadula Clearances 2 security clearancesclassifications AM Audit Manager system audit management functions SL System Low any process can read at this level April 21 2006 ECS 289M Foundations of Computer Slide 13 and Information Security BellLaPadula Categories 5 categories D Development production programs in development but not yet in use PC Production Code production processes programs PD Production Data data covered by integrity policy SD System Development system programs in development but not yet in use T Software Tools programs on production system not related to protected data April 21 2006 ECS 289M Foundations of Computer Slide 14 and Information Security Users and Security Levels Subjects Security Level Ordinary users SL PC PD Application developers SL D T System programmers SL SD T System managers and auditors AM D PC PD SD T System controllers SL D PC PD SD T and downgrade privilege April 21 2006 E08 289M Foundations of Computer Slide 15 and Information Security Objects and Classifications Objects Security Level Development codetest data SL D T Production code SL PC Production data SL PC PD Software tools SL T System programs SL Q System programs in modi cation SL SD T System and application logs AM appropriate April 21 2006 E08 289M Foundations of Computer Slide 16 and Information Security Ideas Ordinary users can execute read production code but cannot alter it Ordinary users can alter and read production data System managers need access to all logs but cannot change levels of objects System controllers need to install code hence downgrade capability Logs are append only so must dominate subjects writing them April 21 2006 E08 289M Foundations of Computer Slide 17 and Information Security Check Requirements 1 Users have no access to T so cannot write their own programs 2 Applications programmers have no access to PD so cannot access production data if needed it must be put into D requiring the system controller to intervene 3 Installing a program requires downgrade procedure from D to PC so only system controllers can do it April 21 2006 E08 289M Foundations of Computer Slide 18 and Information Security More Requirements 4 Control only system controllers can downgrade audit any such downgrading must be audited 5 System management and audit users are in AM and so have access to system state and logs April 21 2006 ECS 289M Foundations of Computer Slide 19 and Information Security Problem Too inflexible System managers cannot run programs for repairing inconsistent or erroneous production database System managers at AM production data at SL So add more April 21 2006 ECS 289M Foundations of Computer Slide 20 and Information Security Adding Biba 3 integrity classifications SPSystem Program for system programs IO Operational production programs development software ISL System Low users get this on log in 2 integrity categories ID Development development entities IP Production production entities April 21 2006 E08 289M Foundations of Computer Slide 21 and Information Security Simplify BellLaPadula Reduce security categories to 3 SP Production production code data SD Development same as D SSD System Development same as old SD April 21 2006 E08 289M Foundations of Computer Slide 22 and Information Security Users and Levels Subjects Security Level Integrity Level Ordinary users SL SP ISL IP Application SL SD ISL ID developers System SL SSD ISL ID programmers System managers AM SP SD SSD ISL IP ID and auditors System controllers SL SP SD and ISP IP ID downgrade privilege Repair SL SP ISL IP April 21 2006 ECS 289M Foundations of Computer Slide 23 and Information Security Objects and Classifications Objects Security Level Integrity Level Development codetest data SL SD ISL IP Production code SL SP IO IP Production data SL SP ISL IP Software tools SL Q IO ID System programs SL Q ISP IP ID System programs in SL SSD ISL ID modification System and application logs AM appropriate ISL Q Repair SL SP ISL IP April 21 2006 ECS 289M Foundations of Computer Slide 24 and Information Security Ideas Security clearances of subjects same as without integrity levels Ordinary users need to modify production data so ordinary users must have write access to integrity category IP Ordinary users must be able to write production data but not production code integrity classes allow this Note writing constraints removed from security classes April 21 2006 ECS 289M Foundations of Computer Slide 25 and Information Security ClarkWilson Integrity Model Integrity de ned by a set of constraints Data in a consistent or valid state when it satis es these Example Bank D today s deposits Wwithdrawals YB yesterday s balance TB today s balance Integrity constraint D YB W TB Wellformed transaction move system from one consistent state to another Issue who examines certifies transactions done correctly April 21 2006 ECS 289M Foundations of Computer Slide 26 and Information Security En es CDls constrained data items Data subject to integrity controls UDls unconstrained data items Data not subject to integrity controls lVPs integrity veri cation procedures Procedures that test the CDls conform to the integrity constraints TPs transaction procedures Procedures that take the system from one valid state to another April 21 2006 ECS 289M Foundations of Computer Slide 27 and Information Security Certification Rules 1 and 2 CR1 When any IVP is run it must ensure all CDls are in a valid state CR2 For some associated set of CDls a TP must transform those CDls in a valid state into a possibly different valid state De nes relation certi edthat associates a set of CDls with a particular TP Example TP balance CDls accounts in bank example April 21 2006 ECS 289M Foundations of Computer Slide 28 and Information Security