Security Policy Model Materials credits: M. Bishop, UC Davis T. Jaeger, Penn State U. 1.

Security Policy Model

Materials credits:M. Bishop, UC Davis

T. Jaeger, Penn State U.

1

2

Integrity Policy

3

Background (1)Business tends to Focus on integrity rather

than confidentialitySubjects and objects may be labeled with integrity

levels I, where i1 ≤ i2 means i2 dominates i1.

Higher level = more trustworthy = higher integrity Subject: program on Windows CD (trusted) vs.

downloaded Java applet (untrusted) Object: system logs (trusted) vs email

attachment from unknown sender (untrusted)

4

Background (2)Integrity policy vs. confidentiality policy

Integrity levels ≠ security levels (they may overlap)A General with secret clearance is trustedA company like GE is trusted but not normally allowed to

upload military secrets (unless they have a contract)

Information flows differently: Information is disclosed (flows down) when:

Read-up: a visitor (unclassified) reads personnel files (secret) Write-down: a cryptographer (secret) writes an activity log

(unclassified) Information is corrupted (flows up) when:

Read-down: IE (trusted) opens a file having a virus (untrusted) Write-up: a downloaded Java applet (untrusted) writes

something into Windows registry (trusted)

secret

unclassified

trusted

untrusted

5

Strict Integrity policy: The Biba Model

If BLP prevents information from flowing down (disclosed)

BLP-upside-down will prevent information from flowing up (getting corrupted)

High Integrity

Some integrity

Suspicious

Garbage

or dominat

e

information flow

Biba

6

Biba = BLP Upside-down BLP=read-down and write-up, Biba= read-up and write-down

Biba

High IntegritySome

integrity

Suspicious

Garbage

information flow

write

read

7

NotationS=Subjects, O=objects, I= integrity levelsi1 ≤ i2 says i2 dominates i1min(i1 , i2 ) is the lesser of i1 and i2

i (s), i (o) = integrity level of s S and o O.s r o says s can read os w o says s can write o, s x s’ says s can execute s’

8

Strict Integrity Policy (formal)

Biba’s ModelFor any s S and o O 1. s r o iff I (s) ≤ I (o) (read-up)2. s w o iff I (o) ≤ I (s) (write-down)3. s1 x s2 iff I (s2) ≤ I (s1) (execute-up)

execute is a special type of read Why? = execution does not corrupt code!

Can add compartments and discretionary controls to get full dual of BLP

9

Combining Biba and BLP Important: security levels (BLP) and

integrity levels (Biba) are two different things

Whether they overlap one another depends on applications

When they do overlap, enforcement of BLP and Biba may conflict

10

Combining Biba and BLP (Cont’d)

What if they are exactly reversed? Secret and un-trusted: a downloaded software is

un-trusted and should not be read/executed by everyone

Unclassified and trusted: system binaries are trusted and can be executed by anyone

Then both rules and the levels are dual, so BLP and Biba work in the same way Read-down in BLP becomes read-up in Biba Write-up in BLP becomes write-down in Biba

11

Combining Biba and BLP (Cont’d)

Suppose that an object is a top-secret, user object Only subjects that are authorized to read both

top-secret objects (BLP) and user objects (Biba)

neither secret, low nor top-secret, appl are allowed to read this object

As for writing, a subject’s integrity and secrecy classes must individually permit the subject to write to the object for writes to be authorized

12

13

Typical Commercial Requirements

1. Users do not write their own programs, but use existing production programs and databases.

2. Programmers develop and test programs on a non-production system; if they need access to production data, they are given data via a special process and can only use it on the development system.

3. A special process must be followed to transfer a program from the development system onto the production system.

4. The special process of requirement 3 must be controlled and audited.

5. The managers and auditors must have access to both the system state and system logs that are generated.

14

Lipner’s Lattice (BLP+Biba) A realistic example showing that BLP and Biba

can be combined to meet commercial requirements

How does it combine BLP and Biba? Uses disjoint sets of security levels and integrity levels BLP goes first, and adds in Biba only when necessary

15

The BLP Part 2 security clearances/classifications

AM (Audit Manager): system audit, management functions

SL (System Low): any process can read at this level

3 Security categories SP (Production): production code, data SD (Development): production code in dev. SSD (System Development): system code in

dev. Security level=(classification,category)

16

The Biba Part 3 integrity classifications

ISP (System Program): for system programs IO (Operational): production programs,

development software ISL (System Low): users get this on log in

2 integrity categories ID (Development): development entities IP (Production): production entities

Integrity level=(classification,category)

17

Subjects’ Levels at a Glance

Subjects Security Level Integrity Level

Ordinary users (SL, { SP }) (ISL, { IP })

Application developers

(SL, { SD }) (ISL, { ID })

System programmers

(SL, { SSD }) (ISL, { ID })

System managers and auditors

(AM, { SP, SD, SSD }) (ISL, )

System controllers (SL, { SP, SD, SSD }) and downgrade privilege

(ISP, { IP, ID})

Repair (SL, { SP }) (ISL, { IP })

18

Objects’ Levels at a Glance

Objects Security Level Integrity Level

Development code/test data

(SL, { SD }) (ISL, { ID} )

Production code (SL, { SP }) (IO, { IP })

Production data (SL, { SP }) (ISL, { IP })

Software tools (SL, ) (IO, { ID })

System programs (SL, ) (ISP, { IP, ID })

System programs in modification

(SL, { SSD }) (ISL, { ID })

System and application logs

(AM, {SP, SD, SSD}) (ISL, )

Repair (SL, {SP}) (ISL, { IP })

19

AM , {SP,SD,SSD)}; ISL,

SL, {SSD} ; ISL, {ID}SL, {SD} ; ISL, {ID}SL, {SP} ; ISL, {IP}

SL,{SP,SD, SSD}; ISP,{IP,ID}

SL, {SP} ; IO, {IP}

SL, ; ISP,{IP,ID}

SL, ; IO,{ID}

Integrity level downgraded when executing objects of lower integrity level.

S: Sys. managerO: Log (sys. + app.)

S: Sys. contrl.

S: Ord. users, repairO: Prod. Data, repair

O: Prod. code

O: Sys. program

O: Soft. tools

S: App. developerO: Dev. code

S: Sys. programmerO: Sys. program in development

Associate subjects and objects with lattice labels

The Lattice (Lipner’s Lattice)Only 9 out of 192 labels are used

LEGENDS: SubjectsO: Objects

20

What Does it Achieve? Ordinary users can execute (read)

production code but cannot alter it Ordinary users can alter and read

production data System managers need access to all logs

but cannot change levels of objects System controllers need to install code

(hence downgrade capability) Logs are append only, so must dominate

subjects writing them These meet stated requirements

(verify if you want)

21

Key Points Commercial world needs integrity Biba model

Dual of BLP (or BLP-upside-down) Integrity levels distinct from security levels Information flows differently

Can be combined with BLP Lipner’s lattice combines the two to meet

commercial requirements