0% found this document useful (0 votes)

27 views78 pages

LEcture 4

The document discusses security policies and models. It defines security policies and outlines elements of security policies related to confidentiality, integrity, and availability. It also describes the Bell-LaPadula and Biba models, which are formal security models for confidentiality and integrity policies respectively.

Uploaded by

Dongje Kim

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

27 views78 pages

LEcture 4

Uploaded by

Dongje Kim

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 78

4

k
ee
W

CS 3923/CS 6813
Computer Security/Information
Security & Privacy

Security Policies

[*] Slides based upon materials maintained by Justin

Cappos at NYU
4
k
ee
W

Security Policy
● A security policy is a set of rules stating which actions are
permitted and which are not.
● Can be informal or highly mathematical.
● If we consider a computer system to be a finite state
automaton with state transitions, then
○ A security policy is a statement that partitions the states of a system
into a set of authorized or secure states and a set of unauthorized or
non-secure states.
○ A secure system is a system that starts in an authorized state and
cannot enter an unauthorized state.
○ A breach of security occurs when a system enters an unauthorized
state.
● We expect a trusted system to enforce the required security
policies.
4
k
ee
W

Definitions
● There is no standard definition of security policy.
● Some define them as documents for humans to read:
○ The SANS Institute defines a security policy as "a document that
outlines specific requirements or rules that must be met...usually
point-specific, covering a single area.”
○ SearchSecurity.com: "In business, a security policy is a document that
states in writing how a company plans to protect the company's
physical and information technology (IT) assets.”
○ ISO17799: “To provide management direction and support for
information security”
4
k
ee
W

Definitions (continued)
● But in other contexts, machine readable instructions are also
called policy:
○ The term “firewall policy” is typically used for the firewall rule set
○ Crypto policy (acceptable algorithms, key lengths) are used in IPSec
Security Association (SA) negotiations
○ Machine readable policies all derive from text-based policies, and
should just be machine readable versions of human readable policies
(possibly with detail added)
● Many documents about policy focus on policies for users and
employees (e. g., acceptable use policies)
● We take a broad view of what a policy is, but focus on
“human readable policies”
4
k
ee
W

Confidentiality, Integrity and Availability

● Confidentiality: Let X be a set of entities and I be some
information. Then I has the property of confidentiality with
respect to X if no member of X can obtain information about
I.
● Integrity: Let X be a set of entities and I some information.
Then I has the property of integrity with respect to X if I is
unmodifiable by X.
● Availability: Let X be a set of entities and I a resource. Then I
has the property of availability with respect to X if all
members of X can access I.
4
k
ee
W

Elements of a Security Policy

● A security policy considers all relevant aspects of
confidentiality, integrity and availability.
○ Confidentiality policy: Identifies information leakage and controls
information flow.
○ Integrity Policy: Identifies authorized ways in which information may
be altered. Enforces separation of duties.
○ Availability policy: Describes what services must be provided:
example – a browser must be able to download pages but may
optionally choose not to execute JavaScript.
4
k
ee
W

Mechanism and Policy

● Mechanism should not be confused with policy.
● A security mechanism is an entity or procedure
that enforces some part of a security policy.
4
k
ee
W

Mechanism or Policy?
4
k
ee
W

Types of Security Policies

● Two types of security policies have been well
studied in the literature:
○ A military security policy (also called government security
policy) is a security policy developed primarily to provide
confidentiality.
■ Not worrying about trusting the object as much as disclosing the
object
○ A commercial security policy is a security policy developed
primarily to provide integrity.
■ Focus on how much the object can be trusted.
● Also called confidentiality policy and integrity policy.
4
k
ee
W

Security Models
● To formulate a security policy you have to describe
entities it governs and what rules constitute it – a
security model does just that!
● A security model is a model that represents a
particular policy or set of policies. They are used
to:
○ Describe or document a policy
○ Test a policy for completeness and consistency
○ Help conceptualize and design an implementation
○ Check whether an implementation meets requirements.
4
k
ee
W

The Bell-La Padula (BLP) Model

● BLP model is a formal description of allowable
paths of information flow in a secure system.
● Formalization of military security policy –
confidentiality.
● Set of subjects S and objects O. Each subject s in S
and o in O has a fixed security class L(s)
(clearance) and L(o) (classification).
● Security classes are ordered by a relation
● Combines mandatory and discretionary access
control.
4
k
ee
W

Example
Top Secret (TS) Dean Jelena Strategic Files
| | |
Secret (S) Prof. Gerig Personnel Files
| | |
Confidential (C) Susana Student Files
| | |
Unclassified (UC) Prof. Cappos Class Files
A basic confidentiality classification system. The four levels are arranged on the
list from most sensitive at top and least sensitive at bottom. In the middle are
individuals grouped by their security clearance and at the right are documents
grouped by their security level.
So Prof. Cappos can read class files and Dean Jelena can read any file. But
what if Dean Jelena reads contents of personnel files and writes them onto the
CS392 class file?
4
k
ee
W

BLP – Simple Version

● Two properties characterize the secure flow of
information:
○ Simple Security Property: A subject s may have read access to
an object o if and only if L(o) <= L(s) and s has discretionary read
access to o.
(Security clearance of subject has to be at least as high as that of the object).
○ *-Property: A subject s who has read access to an object o may
have write access to an object p only if L(o) <= L(p) and s has
discretionary write access to o.
(Contents of a sensitive object can only be written to objects at least as high.
That is, prevent write-down).
4
k
ee
W

BLP – Simple Version (Contd.)

● Basic Security Theorem: Let there be a
system with a secure initial state and let T be
a set of transformations . If every element of
T preserves the simple security property and
*-property, then every state is secure.
k
ee
4 BLP - Communicating with Subjects at a
W

Lower Level
● If Alice wants to talk to Bob who is at a lower level
how does she write a message to him?
● BLP allows this by having notion of maximum-security
level and current security level.
● Maximum security level must dominate current
security level.
● A "trusted subject" may effectively decrease its
security level
○ This effectively ignores the *-Property
4
k
ee
W

Tranquility Principle
● Recall: BLP assumed that security levels of objects are
constant.
● Principle of tranquility states that subjects and objects may
not change their security level once instantiated.
● Principle of strong tranquility states that security levels do
not change during the lifetime of the system.
● Principle of weak tranquility states that security levels do
not change in a way that violates the rules of a given
security policy.
4 What about other properties?
k
ee
W

What property does BLP protect?

What other properties are desirable?

4
k
ee
W

Biba Integrity Model (intuition)

● Protect integrity, not confidentiality

Core concept: "no read down, no write up"

● One cannot read a lower level

● One cannot write a higher level

4
k
ee
W

Biba Integrity Model (intuition)

● A General may write orders to a Colonel, who can
issue these orders to a Major. In this fashion, the
General's original orders are kept intact, and the
mission of the military is protected (thus, "no read
down" integrity). Conversely, a Private can never issue
orders to his Sergeant, who may never issue orders to
a Lieutenant, also protecting the integrity of the
mission ("no write up"). [Wikipedia]
4
k
ee
W

Biba Integrity Model

● Biba integrity model is counterpart (dual) of BLP model.
● It identifies paths that could lead to inappropriate
modification of data as opposed to inappropriate
disclosure in the BLP model.
● A system consists of a set S of subjects, a set O of
objects, and a set I of integrity levels. The levels are
ordered.
● Subjects and Objects are ordered by the integrity
classification scheme; denoted by I(s) and I(o).
4
k
ee
W

What is wrong with Biba and BLP?

● Guarantees seem unrealistic

● Principles perform all operations

○ "Who" actually computes?

● Does this apply to the real world?

4
k
ee
W

Chinese Wall Model

● The Chinese Wall Model is a model of a security
policy that speaks equally to confidentiality and
integrity. It describes policies that involve a conflict
of interest in business. For example:
○ In the environment of a stock exchange or investment
house the goal of the model is to prevent a conflict of
interest in which a trader represents two clients, and the
best interests of the client's conflict, so the trader could
help one gain at the expense of the other.
4
k
ee
W

Chinese Wall Model

● The objects of the database are items of information
related to a company.
● A company dataset (CD) contains objects related to a
single company.
● A conflict of interest class (COI) contains the datasets
of companies in competition.
● COI(O) represents the conflict of interest class that
contains object O.
● CD(O) represents the company dataset that contains
object O. The model assumes that each object
belongs to exactly one conflict of interest class.
4
k
ee
W

Chinese Wall Model

Bank Gas Company
COI COI
Bank of
Deutsche Amoco Texaco
America
bank

Citibank Shell Mobil

Anthony has access to the objects in the CD of Bank of

America. Because the CD of Citibank is in the same COI as
that of Bank of America, Anthony cannot gain access to the
objects in Citibank’s CD. Thus, this structure of the database
provides the required ability.
4
k
ee
W

Chinese Wall Model

● Suppose Anthony and Susan work in the same trading house.
Anthony can read objects in Bank of America’s CD, and
Susan can read objects in Citibank’s CD. Both can read
objects in Amoco’s CD. If Anthony can also write objects in
Amoco’s CD, then he can read information from objects in
Bank of America’s CD, write it to objects in Amoco’s CD, and
then Susan can read that information;
● CW-* Property Rule: A subject S may write to an object O if
and only if all of the following conditions hold:
○ The CW-simple security rule permits S to read O; and
○ For all unsanitized objects O’, S can read O’ => CD(O’) = CD(O).
4
k
ee

How does one limit access?

Many cases access is necessary

But not necessarily full / permanent access

Examples:
Doctor access to health records

Government access to ISP / telephone records

Police access to criminal record

k
ee
4 Critical Information Systems Security
W

Policy
● Policy for health information systems (Anderson).
● A patient is the subject of medical records, or an
agent for that person who can give consent for the
person to be treated.
● Protected Health Information is information about a
patient’s health or treatment enabling that patient to
be identified.
● A clinician is a healthcare professional who has
access personal access to personal health
information while performing their jobs.
4
k
ee
W

Access Principles
● Each medical record has an access control list naming the
individuals or groups who may read and append information to
the record. The system must restrict access to those identified
in the list.
● One of the clinicians on the access control list (responsible
clinician) must have the right to add other clinicians to the
access control list.
● The responsible clinician must notify the patient of the names
on the access control list whenever the patient’s medical record
is opened. Except for situations given in Statutes or in cases of
emergency the responsible clinician must obtain the patient’s
consent.
4
k
ee
W

Security Policies in Practice

● A security policy is essentially a document stating
security goals, and which actions are required,
which are permitted, and which are allowed.
○ Policies may apply to actions by a system, by
management procedures, by employees, by system
users.
○ A complete security policy is a collection policies on
specific security issues.
4
k
ee
W

Examples of Policy Areas

● Protection of Sensitive Information
○ Addresses the protection goals
○ Defines the way people interact with the data (who gets access,
discussing information, printing, storing, etc.)
○ Policy may prescribe the technology used to handle sensitive
information (e. g., DoD)--this technology is one of the enforcement
mechanisms
○ Audit is usually another enforcement mechanism
● Acceptable Use Policy for employee internet access on corporate
systems
○ Defines what employees can and cannot use the corporate systems for
on the Internet.
○ Should define penalties for violations
○ Enforcement: website blocking, activity logging and audit, individual
workstation audit
4
k
ee
W