Security Policy Model Materials credits: M. Bishop, UC Davis T. Jaeger, Penn State U. 1
Security Policy Model
Materials credits:M. Bishop, UC Davis
T. Jaeger, Penn State U.
1
2
Integrity Policy
3
Background (1)Business tends to Focus on integrity rather
than confidentialitySubjects and objects may be labeled with integrity
levels I, where i1 ≤ i2 means i2 dominates i1.
Higher level = more trustworthy = higher integrity Subject: program on Windows CD (trusted) vs.
downloaded Java applet (untrusted) Object: system logs (trusted) vs email
attachment from unknown sender (untrusted)
4
Background (2)Integrity policy vs. confidentiality policy
Integrity levels ≠ security levels (they may overlap)A General with secret clearance is trustedA company like GE is trusted but not normally allowed to
upload military secrets (unless they have a contract)
Information flows differently: Information is disclosed (flows down) when:
Read-up: a visitor (unclassified) reads personnel files (secret) Write-down: a cryptographer (secret) writes an activity log
(unclassified) Information is corrupted (flows up) when:
Read-down: IE (trusted) opens a file having a virus (untrusted) Write-up: a downloaded Java applet (untrusted) writes
something into Windows registry (trusted)
secret
unclassified
trusted
untrusted
5
Strict Integrity policy: The Biba Model
If BLP prevents information from flowing down (disclosed)
BLP-upside-down will prevent information from flowing up (getting corrupted)
High Integrity
Some integrity
Suspicious
Garbage
or dominat
e
information flow
Biba
6
Biba = BLP Upside-down BLP=read-down and write-up, Biba= read-up and write-down
Biba
High IntegritySome
integrity
Suspicious
Garbage
information flow
write
read
7
NotationS=Subjects, O=objects, I= integrity levelsi1 ≤ i2 says i2 dominates i1min(i1 , i2 ) is the lesser of i1 and i2
i (s), i (o) = integrity level of s S and o O.s r o says s can read os w o says s can write o, s x s’ says s can execute s’
8
Strict Integrity Policy (formal)
Biba’s ModelFor any s S and o O 1. s r o iff I (s) ≤ I (o) (read-up)2. s w o iff I (o) ≤ I (s) (write-down)3. s1 x s2 iff I (s2) ≤ I (s1) (execute-up)
execute is a special type of read Why? = execution does not corrupt code!
Can add compartments and discretionary controls to get full dual of BLP
9
Combining Biba and BLP Important: security levels (BLP) and
integrity levels (Biba) are two different things
Whether they overlap one another depends on applications
When they do overlap, enforcement of BLP and Biba may conflict
10
Combining Biba and BLP (Cont’d)
What if they are exactly reversed? Secret and un-trusted: a downloaded software is
un-trusted and should not be read/executed by everyone
Unclassified and trusted: system binaries are trusted and can be executed by anyone
Then both rules and the levels are dual, so BLP and Biba work in the same way Read-down in BLP becomes read-up in Biba Write-up in BLP becomes write-down in Biba
11
Combining Biba and BLP (Cont’d)
Suppose that an object is a top-secret, user object Only subjects that are authorized to read both
top-secret objects (BLP) and user objects (Biba)
neither secret, low nor top-secret, appl are allowed to read this object
As for writing, a subject’s integrity and secrecy classes must individually permit the subject to write to the object for writes to be authorized
12
13
Typical Commercial Requirements
1. Users do not write their own programs, but use existing production programs and databases.
2. Programmers develop and test programs on a non-production system; if they need access to production data, they are given data via a special process and can only use it on the development system.
3. A special process must be followed to transfer a program from the development system onto the production system.
4. The special process of requirement 3 must be controlled and audited.
5. The managers and auditors must have access to both the system state and system logs that are generated.
14
Lipner’s Lattice (BLP+Biba) A realistic example showing that BLP and Biba
can be combined to meet commercial requirements
How does it combine BLP and Biba? Uses disjoint sets of security levels and integrity levels BLP goes first, and adds in Biba only when necessary
15
The BLP Part 2 security clearances/classifications
AM (Audit Manager): system audit, management functions
SL (System Low): any process can read at this level
3 Security categories SP (Production): production code, data SD (Development): production code in dev. SSD (System Development): system code in
dev. Security level=(classification,category)
16
The Biba Part 3 integrity classifications
ISP (System Program): for system programs IO (Operational): production programs,
development software ISL (System Low): users get this on log in
2 integrity categories ID (Development): development entities IP (Production): production entities
Integrity level=(classification,category)
17
Subjects’ Levels at a Glance
Subjects Security Level Integrity Level
Ordinary users (SL, { SP }) (ISL, { IP })
Application developers
(SL, { SD }) (ISL, { ID })
System programmers
(SL, { SSD }) (ISL, { ID })
System managers and auditors
(AM, { SP, SD, SSD }) (ISL, )
System controllers (SL, { SP, SD, SSD }) and downgrade privilege
(ISP, { IP, ID})
Repair (SL, { SP }) (ISL, { IP })
18
Objects’ Levels at a Glance
Objects Security Level Integrity Level
Development code/test data
(SL, { SD }) (ISL, { ID} )
Production code (SL, { SP }) (IO, { IP })
Production data (SL, { SP }) (ISL, { IP })
Software tools (SL, ) (IO, { ID })
System programs (SL, ) (ISP, { IP, ID })
System programs in modification
(SL, { SSD }) (ISL, { ID })
System and application logs
(AM, {SP, SD, SSD}) (ISL, )
Repair (SL, {SP}) (ISL, { IP })
19
AM , {SP,SD,SSD)}; ISL,
SL, {SSD} ; ISL, {ID}SL, {SD} ; ISL, {ID}SL, {SP} ; ISL, {IP}
SL,{SP,SD, SSD}; ISP,{IP,ID}
SL, {SP} ; IO, {IP}
SL, ; ISP,{IP,ID}
SL, ; IO,{ID}
Integrity level downgraded when executing objects of lower integrity level.
S: Sys. managerO: Log (sys. + app.)
S: Sys. contrl.
S: Ord. users, repairO: Prod. Data, repair
O: Prod. code
O: Sys. program
O: Soft. tools
S: App. developerO: Dev. code
S: Sys. programmerO: Sys. program in development
Associate subjects and objects with lattice labels
The Lattice (Lipner’s Lattice)Only 9 out of 192 labels are used
LEGENDS: SubjectsO: Objects
20
What Does it Achieve? Ordinary users can execute (read)
production code but cannot alter it Ordinary users can alter and read
production data System managers need access to all logs
but cannot change levels of objects System controllers need to install code
(hence downgrade capability) Logs are append only, so must dominate
subjects writing them These meet stated requirements
(verify if you want)
21
Key Points Commercial world needs integrity Biba model
Dual of BLP (or BLP-upside-down) Integrity levels distinct from security levels Information flows differently
Can be combined with BLP Lipner’s lattice combines the two to meet
commercial requirements