Thursday, October 3, 2019
Security models
Security models EXECUTIVE SUMMARY One of the most essential part of securing access to data, information, security, as well as computer organization is by having security policy. A computer security policy consist of a clearly defined and precise set of rules, for determining authorization as a basis for making access control decisions. A security policy captures the security requirements of an establishment or describes the steps that have to be taken to achieve the desired level of security. A security policy is typically stated in terms of subjects and objects, given the desired subject and object there must be a set of rules that are used by the system to determine whether a given subject can be given access to a specific object. A security model is a formal or an informal way of capturing such policies. Security models are an important concept in the design of a system. The implementation of the system is then based on the desired security model. In particular, security models are used to test a particular policy for completeness and consistency document a policy help conceptualize and design an implementation check whether an implementation meets its requirements We assume that some access control policy dictates whether a given user can access a particular object. We also assume that this policy is established outside any model. That is, a policy decision determines whether a specific user should have access to a specific object; the model is only a mechanism that enforces that policy. Thus, we begin studying models by considering simple ways to control access by one user. In this paper, we would briefly explain about two main security models that have already known and been used in securing a system. The two of them are BIBA and Bell La-Padula. Basically this two known system have been used widely in the world and it is essential for us as security technology students to understand and implement it in the future system. We highly hope that this paper can help the student to understand the security policy that being implemented by the BIBA and Bell La-Padula model. CATEGORY OF SECURITY MODELS Biba Model The Biba integrity model was published in 1977 at the Mitre Corporation, one year after the Bell La-Padula model (Cohen ). As stated before, the Bell La-Padula models guarantees confidentiality of data but not its integrity. As a result, Biba created a model use address to enforcing integrity in a computer system. The Biba model proposed a group of integrity policies that can be used. So, the Biba model is actually family of different integrity policies. Each of the policies uses different conditions to ensure information integrity (Castano). The Biba model, in turn, uses both discretionary and nondiscretionary policies. The Biba model uses labels to give integrity levels to the subjects and objects. The data marked with a high level of integrity will be more accurate and reliable than data labeled with a low integrity level. The integrity level use to prohibit the modification of data. Access Modes The Biba Model consists of group access modes. The access modes are similar to those used in other models, although they may use different terms to define them. The access modes that the Biba model supports are: Modify: allows a subject to write to an object. This mode is similar to the write mode in other models. Observe: allows a subject to read an object. This command is synonyms with the read command of other models. Invoke: allows a subject to communicate with another subject. Execute: allows a subject to execute an object. The command essentially allows a subject to execute a program which is the object Policies Supported by the Biba Model The Biba model can be divided into two types of policies, those that are mandatory and those that are discretionary. Mandatory Policies: Strict Integrity Policy Low-Water-Mark Policy for Subjects Low-Water-Mark Policy for Objects Low-Water-Mark Integrity Audit Policy Ring Policy Discretionary Policies: Access Control Lists Object Hierarchy Ring Mandatory Biba Policies The Strict Integrity Policy is the first part of the Biba model. The policy states: à § Simple Integrity Condition: s âËË S can observe oâËË O if and only if i(s) âⰠ¤ i(o). à § Integrity Star Property: s âËË S can modify to oâËË O if and only if i(o) âⰠ¤ i(s). à § Invocation Property: sââ âËË S can invoke sâââ âËË S if and only if i(sâââ ) âⰠ¤ i(sââ ). The first part of the policy is known as the simple integrity property. The property states that a subject may observe an object only if the integrity level of the subject is less than the integrity level of the object. The second rule of the strict integrity property is the integrity star property. This property states that a subject can write to an object only if the objects integrity level is less than or equal to the subjects level. This rule prevents a subject from writing to a more trusted object. The last rule is the invocation property, which states that a subject sââ can only invoke another subject sâââ, if sâââ has a lower integrity level than sââ . The strict integrity policy enforces ââ¬Å"no write-upâ⬠and ââ¬Å"no read-downâ⬠on the data in the system, which is a subject, is only allowed to modify data at their level or a low level. The ââ¬Å"no write upâ⬠is essential since it limits the damage that can be done by malicious objects in the system. On the other hand, the ââ¬Å"no read downâ⬠prevents a trusted subject from being contaminated by a less trusted object. Specifically, the strict integrity property restricts the reading of lower level objects which may be too restrictive in some cases. To combat this problem, Biba devised a number of dynamic integrity polices that would allow trusted subjects access to an un-trusted objects or subjects. Biba implemented these in a number of different low-water mark policies. The low-watermark policy for subjects is the second part of the Biba model. The policy states: à § Integrity Star Property: s âËË S can modify oâËË O if and only if i(o) âⰠ¤ i(s). à § If s âËË S examines o âËË O the iâ⬠² (s) = min(i(s),i(o)), where iâ⬠² (s) is the subjects integrity level after the read. à § Invocation Property: sââ âËË S can invoke sâââ âËË S if and only if i(sâââ ) âⰠ¤ i(sââ ). The low-watermark policy for subjects is a dynamic policy because it lowers the integrity level of a subject based on the observations of objects. This policy is not without its problems. One problem with this policy is if a subject observes a lower integrity object it will drop the subjects integrity level. Then, if the subject needs to legitimately observe another object it may not be able to do so because the subjects integrity level has been lowered. Depending on the times of read requests by the subject, to observe the objects, a denial of service could develop. The low-watermark policy for objects is the third part of the Biba model. This policy is similar to the low-watermark policy for subject. The policy states: à § s âËË S can modify any o âËË O regardless of integrity level. à § If s âËË S observe o âËË O the iâ⬠² (o) = min(i(s),i(o)), where iâ⬠² (o) is the objects integrity level after it is modified. This policy allows any subject to modify any object. The objects integrity level is then lowered if the subjects integrity level is less than the objects. This policy is also dynamic because the integrity levels of the objects in the system are changed based on what subjects modify them. This policy does nothing to prevent an un-trusted subject from modifying a trusted object. The policy provides no real protection in a system, but lowers the trust placed in the objects. If a malicious program was inserted into the computer system, it could modify any object in the system. The result would be to lower the integrity level of the infected object. It is possible with this policy that, overtime; there will be no more trusted objects in the system because their integrity level has been lowered by subjects modifying them. The low-watermark integrity audit policy is the fourth mandatory policy under the Biba model. The policy states: à § s âËË S can modify any o âËË O , regardless of integrity levels. à § If a subject modifies a higher level object the transaction is recorded in an audit log. The low-watermark integrity audit policy simply records that an improper modification has taken place. The audit log must then be examined to determine the cause of the improper modification. The drawback to this policy is that it does nothing to prevent an improper modification of an object to occur. The Ring Policy is the last mandatory policy in the Biba Model. This policy is not dynamic like the first three policies. Integrity labels used for the ring policy are fixed, similar to those in the strict integrity policy. The Ring Policy states: à § Any subject can observe any object, regardless of integrity levels. à § Integrity Star Property: s âËË S can modify oâËË O if and only if i(o) âⰠ¤ i(s). à § Invocation Property: sââ âËË S can invoke sâââ âËË S if and only if i(sâââ ) âⰠ¤ i(sââ ). The ring policy is not perfect; it allows improper modifications to take place. A subject can read a low level subject, and then modifies the data observed at its integrity level (Castano). Advantages Disadvantages Advantages: ÃË Easy to implement So, It is no harder to implement the strict integrity policy. ÃË Provides a number of different policies If the strict integrity property is too restricting, one of the dynamic policies could be used in its place. Disadvantages: ÃË The model does nothing to enforce confidentiality. ÃË The Biba model does not support the granting and revocation of authorization. ÃË This model is selecting the right policy to implement. Bell La-Padula Model The Bell La-Padula model is a classical model used to define access control. The model is based on a military-style classification system (Bishop). With a military model, the sole goal is to prevent information from being leaked to those who are not privileged to access the information. The Bell La-Padula was developed at the Mitre Corporation, a government funded organization, in the 1970s (Cohen). The Bell La-Padula is an information flow security model because it prevents information to flow from a higher security level to a lower security level. The Bell La-Padula model is based around two main rules: the simple security property and the star property. The simple security property states that a subject can read an object if the object is classification is less than or equal to the subjects clearance level. The simple security property prevents subjects from reading more privileged data. The star property states that a subject can write to an object, if the subjects clearance level is less than or equal to the objects classification level. What the star property essentially does is it prevents the 2 lowering of the classification level of an object. The properties of the Bell La-Padula model are commonly referred to as ââ¬Å"no read upâ⬠and ââ¬Å"no write downâ⬠, respectively. The Bell La-Padula model is not flawless. Specifically, the model does not deal with the integrity of data. It is possible for a lower level subject to write to a higher classified object. Because of these short comings, the Biba model was created. The Biba model in turn is deeply rooted in the Bell La-Padula model. There is a slightly embellished Mealy-type automaton as our model for computer systems. That is, a system (or machine) M is composed of à § a set S of states, with an initial state s0 2 S, à § a set U of users (or subjects in security parlance), à § a set C of commands (or operations), and à § a set O of outputs, Together with the functions next and out: à § next: S Ãâ" U Ãâ" C ââ â S à § out: S Ãâ" U Ãâ" C ââ â O Pairs of the form (u, c) 2 U Ãâ" C are called actions. We derive a function next*: ÃË Next*: S Ãâ" (U Ãâ" C)* ââ â S (The natural extension of next to sequences of actions) by the equations ÃË Next*(s, Ãâº) = s, and ÃË Next*(s, à ± ââ" ¦ (u, c)) = next (next*(s, à ±), u, c), Where Ã⺠denotes the empty string and ââ" ¦ denotes string concatenation. Based on these two primitive types of access, four more elaborate ones can be constructed. These are known as w, r, a, and e access, respectively: w : write access permits both observation and alteration, r : read access permits observation but not alteration, a : append access permits alteration, but not observation, and e : execute access permits neither observation nor alteration. In order to model formally this internal structure of the system state we introduce a set N of object names, a set V of object values, the set A = {w, r, a, e} of access types, And also the functions contents and current-access-set: contents: S Ãâ" N ââ â V , current-access-set: S ââ â P(U Ãâ" N Ãâ" A) (where P denotes power set) with the interpretation that contents(s, n) returns the value of object n in state s, while current-access-set(s) returns the set of all triples (u, n, x) such that subject u has access type x to object n in state s. Observe that contents captures the idea of the value state, while current-access-set embodies the protection state of the system. Thus, we introduce functions alter, and observe: alter : S ââ â P(U Ãâ" N), and observe : S ââ â P(U Ãâ" N) with the definitions: observe(s) def = {(u, n) | (u, n,w) or (u, n, r) Ãâ current-access-set(s)}, and alter(s) def = {(u, n) | (u, n,w) or (u, n, a) Ãâ current-access-set(s)}. That is, observe(s) returns the set of all subject-object pairs (u, n) for which subject u has observation rights to object n in state s, while alter (s) returns the set of all pairs for which subject u has alteration rights to object n in state s. Definitions of Bell La-Padula Definition 1 (Simple Security Property) A state s Ãâ S satisfies the simple security property if Ãâ N: ÃË (u, n) Ãâ observe(s) clearance (u) âⰠ¥ classification(s, n). A rule r is ss-property-preserving if next(s, u, r) satisfies the ss-property whenever s does. Definition 2 (*-property) Let T U denote the set of trusted subjects. A state s Ãâ S satisfies the *-property if, for all un-trusted subjects u Ãâ UT (we use to denote set difference) and objects n Ãâ N: ÃË (u, n) Ãâ alter(s) âŠÆ' classification(s, n) âŠÆ' current-level(s, u), and ÃË (u, n) Ãâ observe(s) current-level(s, u) âŠÆ' classification(s, n). A rule r is *-property-preserving if next(s, u, r) satisfies the *-property whenever s does. Note that it follows from these definitions that: ÃË (u, n, a) Ãâ current-access-set(s)current-level(s, u), ÃË (u, n, r) Ãâ current-access-set(s) classification(s, n), And ÃË (u, n,w) Ãâ current-access-set(s) classification(s, n) = current-level(s, u). Also, as a simple consequence of the transitivity of âⰠ¥, if a state s satisfies the *-property and u is an un-trusted subject with alteration rights to object n1 and observation rights to object n2 (in state s), then ÃË classification(s, n1) âⰠ¥ classification(s, n2). The original formulation of the *- property was somewhat different than that given above in that it did not employ the notion of a subjects current-level. The formulation of the *-property given in [1, Volume II] is, u Ãâ TU, and m, n Ãâ N: ÃË (u,m) Ãâ observe(s) ^ (u, n) Ãâ alter(s) âŠÆ' classification(s, n) âŠÆ' classification(s,m). Definition 3 (Security) A state is secure if it satisfies both the simple security property and the *-property. A rule r is security-preserving if next(s, u, r) is secure whenever s is. We say that a state s is reachable if ÃË s = next*(s0, à ±) for some action sequence à ± Ãâ (U Ãâ" C)*. A system satisfies the simple security property if every reachable state satisfies the simple security property. A system satisfies the *-property if every reachable state satisfies the *-property. A system is secure if every reachable state is secure. Applications of Bell La-Padula Bell and La Padula demonstrated the application of their security model by using the results of the previous section to establish the security of a representative class of 11 rules. These rules were chosen to model those found in the Multics system. 1. Get-Read (rule 1 of [2]) A subject u may call the rule get-read(n) in order to acquire read access to the object n. The rule checks that the following conditions are satisfied. clearance (u) âⰠ¥ classification(s, n) If u is not a trusted subject (i.e., u Ãâ UT), then o current-level(s, u) âⰠ¥ classification(s, n) If both these conditions are satisfied, the rule modifies the protection state by setting à § current-access-set(s0) = current-access-set(s) {(u, n, r)}, where s0 denotes the new system state following execution of the rule. Otherwise, the system state is not modified. The security of get-read follows directly from Corollary 9. 2. Get-Append, Get-Execute, Get-Write (rules 2 to 4 of [2]) These are analogous to get-read. 3. Release-Read (rule 5 of [2]) A subject u may call the rule release-read(n) in order to release its read access right to the object n. No checks are made by the rule, which simply modifies the protection state by setting à § current-access-set(s0) = current-access-set(s){(u, n, r)}, where s0 denotes the new system state following execution of the rule. The security of release read follows directly from Theorem 10. 4. Release-Execute, Release-Append, Release-Write (rule 5 of [2]) These are analogous to release-read. 5. Change-Subject-Current-Security-Level (rule 10 of [2]) A subject u may call Change-Subject-Current-Security-Level(l) in order to request that its current-level be changed to l. The rule checks that the following conditions are satisfied. clearance(u) âⰠ¥ l (i.e., a subjects current-level may not exceed its clearance). If u is an un-trusted subject (i.e., u Ãâ UT) then assigning l as the current level of u must not cause the resulting state to violate the *-propertyââ¬âi.e.,n Ãâ N: à § (u, n) Ãâ alter(s) âŠÆ' classification(s, n) âⰠ¥ l, and à § (u, n) Ãâ observe(s) âŠÆ' l âⰠ¥ classification(s, n). If both these conditions are satisfied, the rule modifies the system state by settingcurrent-level (s0, u) = l, where s0 denotes the new system state following execution of the rule. Otherwise, the system state is not modified. 6. Change-Object-Security-Level (rule 11 of [2]) A subject u may call Change-Object-Security-Level(n, l) in order to request that the classification of object n be changed to l. The rule checks that the following conditions are satisfied. current-level(s, u) âⰠ¥ classification(s, n) (i.e., no subject may change the classification of an object which is currently classified above its own level). If u is an un-trusted subject (i.e., u Ãâ UT), then current-level(s, u) âⰠ¥ l and l âⰠ¥ classification(s, n), o (i.e., untrusted subjects may not ââ¬Å"downgradeâ⬠the classification of an object). v Ãâ U, (v, n) 2 observe(s) âŠÆ' current-level(s, v) âⰠ¥ l (i.e., if any subject has observation rights to the object n, then the current level of that subject must dominate the new classification of n). Assigning l as the classification of n must not cause the resulting state to violate the *-property. If these conditions are satisfied, the rule modifies the system state by setting classification (s0, n) = l, where s0 denotes the new system state following execution of the rule. Otherwise, the system state is not modified. There are several limitations of BLP: Restricted to confidentiality No policies for changing access rights; a general and complete downgrade is secure; BLP is intended for systems with static security levels. BLP contains covert channels: a low subject can detect the existence of high objects when it is denied access. Sometimes, it is not sufficient to hide only the contents of objects. Also their existence may have to be hidden.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.