Lattice-based Access Control Models 2 Daniel Trivellato.

Lattice-based Access Control Models 2

Daniel Trivellato

06/10/2008 DTM course - Daniel Trivellato 2

Outline

Review of BLP The Biba model Multi-lateral security: the Chinese Wall Exercises and discussion


Outline

Review of BLP The Biba model Multi-lateral security: the Chinese Wall Exercises and discussion


Security lattice - Example Levels: TS, S and TS > S

TS, {Nuclear, Chemical}

TS, {Nuclear} TS, {Chemical}S, {Nuclear, Chemical}

TS, {}

S, {}

S, {Nuclear} S, {Chemical}

the partial order on security classes is called dominates(L1,C1) ≥ (L2,C2) iff L1 ≥ L2 and C2 C C1

Compartments: Nuclear, Chemical


The BLP model

formalizes mandatory policy for secrecy goal: prevent information flow to LOWER or

incomparable security classes idea: augment DAC with MAC (security

labels) to enforce information flow policies two-step approach

1. discretionary access matrix D

2. operations authorized by MAC policy, over which users have no control


BLP mandatory access rules

object o has security label (class) SL(o) subject s has security label (clearance) SL(s) simple security property: subject s can read

object o only if SL(s) ≥ SL(o) *-property: subject s can write object o only if

SL(o) ≥ SL(s)

NO READ UPNO WRITE DOWN


BLP information flow

SUBJECTS OBJECTS

…….....

…….....

…….....

…….....

TS

S

C

U

Info

rma

tion

flow

TS

S

C

U

writ

e

read

writ

e

read

writ

e

read

writ

e

read


BLP + tranquility

Tranquility property strong: security labels never change during system

operation

TOO STRONG! weak: labels never change in such a way as to violate a

defined security policy

e.g. dynamic upgrade of labels principle of least privilege


Outline

Review of BLP The Biba model Multi-lateral security: the Chinese wall Exercises and discussion


Mandatory policies for integrity

policies for secrecy control only improper leakage of information

do not safeguard integrity! assign integrity classes to:

subjects: reflect subject’s trustworthiness not to improperly modify the informatin

objects: reflect the potential damage that could result from improper modification/deletion


The Biba model

defines mandatory policy for integrity goal: prevent information flow to HIGHER or

incomparable integrity classes strict integrity policy is based on principles

dual to those of BLP


Biba mandatory access rules

object o has integrity label (class) IL(o) subject s has integrity label IL(s)

simple integrity property: subject s can read object o only if IL(s) ≤ IL(o)

*-integrity property: subject s can write object o only if IL(s) ≥ IL(o)

NO READ DOWNNO WRITE UP


Biba information flow

SUBJECTS OBJECTS

…….....

…….....

…….....

HI

MI

LI

Info

rma

tion

flow

HI

MI

LI

writ

e

read

writ

e

read

writ

e

read


Combining Biba and BLP

The security class of each object consists of two labels a security label SL an integrity label IL

the combinatory mandatory controls are subject s can read object o only if SL(s) ≥ SL(o) and

IL(s) ≤ IL(o) subject s can write object o only if SL(s) ≤ SL(o) and

IL(s) ≥ IL(o) implemented in several OS, DBs and network

products for the military domain


BLP + Biba - ExampleSL = {SH, SL}, SH ≥ SL

IL = {IH, IL}, IH ≥ IL

SL,IL SL,IH SH,IL SH,IH

SL,IL rw r w -SL,IH w rw w wSH,IL r r rw rSH,IH - r w rw

SL,IL

SH,IL

SH,IH

SL,IH

BLP Lattice

SL,IL

SL,IH

SH,IH

SH,IL

Biba Lattice

Info

rma

tion

flo

w

Info

rma

tion

flo

w


Biba alternative policies

low-water-mark for subjects (no write up) a subject s can write object o only if IL(s) ≥ IL(o) a subject s can read any object o

after the access IL(s) = glb(IL(s),IL(o))

low-water-mark for objects (no read down) a subject s can read object o only if IL(o) ≥ IL(s) a subject s can write any object o

after the access IL(o) = glb(IL(s),IL(o))


Biba weaknesses flow controls may result too restrictive in the commercial domain authorizations are

linked to programs, rather than subjects enforces integrity only by preventing information

flows from lower to higher classifications

the integrity problem is much more than this

integrity has to prevent also improper use of data concurrency control and recovery techniques integrity constraints (limitations on values)


Biba in the real world – Windows Vista

Microsoft Windows Vista adopts a multi-level integrity policy

file objects marked with an integrity level Low, Medium, High, System (critical Vista files)

Internet Explorer runs by default at Low things downloaded with IE can read but not write

system files or anything else with higher integrity level

dropped the no-read-down constraint


Alternative models for integrity Well-formed transaction rules are based on the

ACID principles Atomicity: either all actions of a transactions are

performed or none of them Consistency: a transaction must preserve the integrity

constraints on the data Isolation: the concurrent execution of a set of

transactions must have the same effects of the serial execution of them

Durability: results of committed transactions are permanent

ACID do not take into consideration the subject


Clark and Wilson (1/2)

Four basic criteria to safeguard integrity Authentication: the system must separately

authenticate and identify the user Audit: the system must log programs executed

and the name of the authorizing user Well-formed transactions: data items can be

manipulated only by a restricted set of programs that meet the well-formed transaction rule

Separation of duty: each user is associated with a set of programs to be run, and the set must meet the separation of duty rule


Clark and Wilson (2/2)

Advantages addresses integrity in a more complete way models commercial environments

Shortcomings not well formalized it is difficult to reason about

security properties


Outline



The Chinese wall

Brewer and Nash (1989) arises in the commercial sector (consultancy) goal: prevent information flows which cause

conflict of interests for individual consultants mandatory dynamic separation of duty


Chinese wall - Motivation

consultants deal with confidential companies’ information for their clients

a consultant should not have access to information about, for example, two banks or oil companies

this would create a conflict of interests influence in the analysis disservice to the client potential use for personal profit


Objects classification

The model makes a first distinction between public objects company information: need to be protected

Company information is organized hierarchically in 3 levels: basic objects (e.g. files) company datasets: group objects referring to the

same corporation conflict of interest classes: groups all company

datasets whose corporations are in competition


Object classification - Example

Public information

Conflict of Interest Class 1 Conflict of Interest Class 2

Company A Company B Company C Company D

ObjA-1

ObjA-2ObjA-3

ObjB-1

ObjB-2

ObjC-1

ObjC-2ObjD-3

ObjD-1

ObjD-4

ObjD-2

public bulletin boards, public databases, etc.


Policy rules (1/2)

simple security rule: a subject s can access an object o only if: o is in the same company dataset as all the objects

that s has already accessed (within the wall) o belongs to a different conflict of interest class

but…users may need to compare information from different corporations!

sanitization: disguising a corporate information, preventing the discovery of its identity


Policy rules (2/2) *-property: a subject s can write an object o

only if access is permitted by the simple security rule no object can be read by s (no authorization)

which (i) is in a different company dataset than o and (ii) contains unsanitized information

Example: Alice reads ObjA-1 and writes ObjC-1, Bob reads ObjC-1 and

writes ObjB-1Conflict of Interest Class 1 Conflict of Interest Class 2

Company A Company B Company C Company D

ObjA-1ObjA-2

ObjA-3

ObjB-1

ObjA-2

ObjC-1

ObjC-2ObjD-3

ObjD-1

ObjD-4ObjD-2


Chinese wall axioms

the simple security property prevents flow by a single user

the *-property rule prevents indirect flows that can be enacted by collusions between users

sanitization provides more flexibility w.r.t. the application of the policy

discretionary access is assumed to be enforced


Policy model

assume there are n conflict of interest classes (COI)

each object o is labeled with the set of companies of which it contains information L(o) = {c1,c2,…cn}, where ci is in COIi u ,

i = {1,…,n} the clearance of a user is a high-water mark

that can float up in the lattice but not down


Chinese wall - Example

consider 2 conflict of interest classes: Banks = {Bank A, Bank B} Oil Companies = {OC1, OC2}

then labels such as {Bank A, OC1, OC2} are contrary to the Chinese wall policy

a new consultant starts with no mandatory restriction on access rights (i.e. clearance { , })

if he reads a file about Bank A, his clearance becomes {Bank A, }


The lattice

labels are compared according to the dominance relation, defined as follows Let L1 = {c1

1,c12,…,c1

n} and L1 = {c21,c2

2,…,c2n}

L1 ≥ L2 iff c1i = c2

i or c2i = , for i = {1,…,n}

label { , } corresponds to public information label SysHigh dominates all other labels

combines information from different companies in the same COI class (access to all)

contrary to the Chinese wall policy no user gets this clearance exceptions: system administration and audit


The lattice - Example

{ , }

{Bank A, } {Bank B, }{ , OC1} { , OC2}

{Bank A, OC1} {Bank A, OC2} {Bank B, OC1} {Bank B, OC2}

SysHigh


Chinese wall weaknesses

not completely formalized leaves open problems, such as

keep and manage history of access ensure accessibility (e.g. if all the users read the

same datasets, the system become unusable) data sanitization is not addressed (complex)


Summary

Biba: mandatory policy for integrity. Principles are dual to BLP combined with BLP to deal with both secrecy and

integrity does not take into account all aspects of integrity

Chinese wall: multi-lateral security model to prevent conflicts of interests for consultants users can not access (neither directly nor

indirectly) to information about competing companies


Outline



Exercises (lecture 1) Construct a lattice of security classes for security levels

{public, secret, top-secret} and compartments {army, politics, business}

P,{}

S,{} P,{A} P,{P} P,{B}

TS,{} P,{A,B}P,{A,P} P,{P,B}S,{A} S,{P} S,{B}

TS,{A} TS,{P} TS,{B} S,{A,B}S,{A,P} S,{P,B} P,{A,P,B}

TS,{A,B}TS,{A,P} TS,{P,B} S,{A,P,B}

TS,{A,P,B}

Security levels = n = 3

Compartments = m = 3

Lattice nodes =

n * 2m = 3 * 23 = 24


Exercises

Is it reasonable for an object to have security label “unclassified” and integrity label “high”? Give an example in which it makes sense.

How can we combine BLP and Biba in such a way that they both allow information to flow only upwards?

Can we combine MAC with RBAC? How?


Exercises

What is the conceptual difference between the BLP and the Chinese wall policy?

Why does the Chinese wall policy prohibit a consultant to access information about 2 competing companies?

For which purpose do we need a SysHigh label dominating all other labels in the Chinese wall lattice?


Discussion

Questions Issues


The most important lesson…

100% security is impossible to achieve …and it would not be flexible enough for ANY

real world system!!!

When designing security establish YOUR security goals find good compromises keep in mind the weaknesses of your system


References

Ravi S. Sandhu – Lattice-Based Access Control Models (strongly recommended)

Carl E. Landwehr – Formal Models for Computer Security (strongly recommended)

Pierangela Samarati, Sabrina De Capitani di Vimercati - Access Control: Policies, Models, and Mechanisms (recommended)

Ross Anderson – Security Engineering (2nd Edition) (suggested)

Thank you for your [email protected]

Lattice-based Access Control Models 2 Daniel Trivellato.

Documents

read slide

blp slide

ts s ts

daniel trivellato slide

chemical slide

control slide

discussion slide

privilege slide