SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA.

SESSION

LATTICE-BASED ACCESSCONTROL MODELS

Ravi SandhuGeorge Mason University

Fairfax, VirginiaUSA

2

LATTICE-BASED MODELS

• Denning's axioms and lattices• Bell-LaPadula model (BLP) • Integrity and information flow• The Chinese Wall lattice

3

DENNING'S AXIOMS

< SC, , >

SC set of security classes

SC X SC flow relation (i.e., can-flow)

SC X SC -> SC class-combining operator

4

DENNING'S AXIOMS

< SC, , >

1 SC is finite

2 is a partial order on SC

3 SC has a lower bound L such that L A for all A SC

4 is a least upper bound (lub) operator on SC

Justification for 1 and 2 is stronger than for 3 and 4. In practice we may therefore end up with a partially ordered set (poset) rather than a lattice.

5

LATTICE STRUCTURES

{ARMY, NUCLEAR, CRYPTO}

Compartmentsand Categories

{ARMY, NUCLEAR} {ARMY, CRYPTO} {NUCLEAR, CRYPTO}

{ARMY} {NUCLEAR} {CRYPTO}

{}

6

LATTICE STRUCTURES

HierarchicalClasses with

CompartmentsTS

S

{A,B}

{}

{A} {B}

product of 2 lattices is a latticeproduct of 2 lattices is a lattice

7

LATTICE STRUCTURES

HierarchicalClasses with

Compartments

S,

{A,B}

{}

{A} {B}S, S,

S,

TS,

{A,B}

{}

{A} {B}TS, TS,

TS,

SMITH'SLATTICESMITH'SLATTICE

TS-W

S-W

TS

S

C

U

S-L

S-LW

S-A

TS-X

TS-L TS-K TS-Y TS-Q TS-Z TS-X

TS-KL

TS-KLXTS-KY TS-KQZ

TS-AKLQWXYZ

9

SMITH'S LATTICE

• With large lattices a vanishingly small fraction of the labels will actually be used

• Smith's lattice: 4 hierarchical levels, 8 compartments, therefore

number of possible labels = 4*2^8 = 1024

Only 21 labels are actually used (2%)

• Consider 16 hierarchical levels, 64 compartments which gives 10^20 labels

10

EMBEDDING A POSET IN A LATTICE

{A} {B}

such embedding is always possiblesuch embedding is always possible

{A,B,C} {A,B,D}

{A} {B}

{A,B,C} {A,B,D}

{A,B,C,D}

{}

{A,B}

11

BELL LAPADULA (BLP) MODEL

SIMPLE-SECURITYSubject S can read object O only if

• label(S) dominates label(O)

• information can flow from label(O) to label(S)

STAR-PROPERTYSubject S can write object O only if

• label(O) dominates label(S)

• information can flow from label(S) to label(O)

12

BLP MODEL

Unclassified

Confidential

Secret

Top Secret

can-flowdominance

13

DYNAMIC LABELS IN BLP

• Tranquility (most common):SECURE

label is static for subjects and objects

• High water mark on subjects:SECURE label is static for objectslabel may increase but not decrease for subjects

• High water mark on objects:INSECURElabel is static for subjectslabel may increase but not decrease for objects

14

BIBA MODEL

Garbage

Suspicious

Some Integrity

High Integrity

can-flowdominance

15

BIBA MODEL

SIMPLE-INTEGRITYSubject S can read object O only if

• label(O) dominates label(S)

• information can flow from label(O) to label(S)

STAR-PROPERTYSubject S can write object O only if

• label(S) dominates label(O)

• information can flow from label(S) to label(O)

16

EQUIVALENCE OF BLP AND BIBA

HI (High Integrity)

LI (Low Integrity)

BIBA LATTICEBIBA LATTICE EQUIVALENT BLP LATTICEEQUIVALENT BLP LATTICE

LI (Low Integrity)

HI (High Integrity)

17

EQUIVALENCE OF BLP AND BIBA

HS (High Secrecy)

LS (Low Secrecy)

BLP LATTICEBLP LATTICE EQUIVALENT BIBA LATTICEEQUIVALENT BIBA LATTICE

LS (Low Secrecy)

HS (High Secrecy)

18

COMBINATION OF DISTINCT LATTICES

HS

LS

HI

LI

GIVENGIVEN

BLP BIBA

HS, LI

HS, HI LS, LI

LS, HI

EQUIVALENT BLP LATTICEEQUIVALENT BLP LATTICE

19

BLP AND BIBA

• BLP and Biba are fundamentally equivalent and interchangeable

• Lattice-based access control is a mechanism for enforcing one-way information flow, which can be applied to confidentiality or integrity goals

• We will use the BLP formulation with high confidentiality at the top of the lattice, and high integrity at the bottom

LIPNER'SLATTICE

LIPNER'SLATTICE

S: RepairS: Production UsersO: Production Data

S: Application Programmers

O: Development Code and Data

S: System Programmers

O: System Code in Development

O: Repair Code

O: System Programs

O: Production Code O: Tools

S: System ManagersO: Audit Trail

S: System Control

LEGEND

S: SubjectsO: Objects

LEGEND

S: SubjectsO: Objects

21

LIPNER'S LATTICE

• Uses 9 labels from a possible space of 192 labels

• Audit trail is at lowest integrity

• Production users are only allowed to execute production code

• System control subjects are allowed to

• write down (with respect to confidentiality)

or equivalently

• write up (with respect to integrity)

22

CHINESE WALL POLICY

• Example of a commercial security policy for confidentiality

• Mixture of free choice (discretionary) and mandatory controls

• Introduced by Brewer-Nash in Oakland '89

23

CHINESE WALL EXAMPLE

BANKSOIL

COMPANIES

A B X Y

ALL OBJECTS

CONFLICT OF INTEREST CLASSES

COMPANYDATASETS

A consultant can access information about at most one company in each conflict of interest class

A consultant can access information about at most one company in each conflict of interest class

24

READ ACCESS

BREWER-NASH SIMPLE SECURITY

S can read O only if

• O is in the same company dataset as some object previously read by S (i.e., O is within the wall)

or

• O belongs to a conflict of interest class within which S has not read any object (i.e., O is in the open)

25

WRITE ACCESS

BREWER-NASH STAR-PROPERTY

S can write O only if

• S can read O by the simple security rule

and

• no object can be read which is in a different company dataset to the one for which write access is requested

26

REASON FOR BN STAR-PROPERTY

ALICE'S WALL BOB'S WALL

Bank A Bank B

Oil Company X Oil Company X

• cooperating Trojan Horses can transfer Bank A information to Bank B objects, and vice versa, using Oil Company X objects as intermediaries

27

IMPLICATIONS OF BN STAR-PROPERTY

Either

• S cannot write at all

or

• S is limited to reading and writing one company dataset

28

WHY THIS IMPASSE?

Failure to clearly distinguish user labels from subject labels.

29

CHINESE WALL LATTICE

A, - B, --, X -, Y

A, X A, Y B, X B, Y

SYSHIGH

SYSLOW

The high water mark of a user's principal can float up so long as it remain below SYSHIGH

The high water mark of a user's principal can float up so long as it remain below SYSHIGH

30

USERS, PRINCIPALS, SUBJECTS

ALICEALICE.BANK A

ALICE.OIL COMPANY X

ALICE.BANK A & OIL COMPANY X

ALICE.nothing

USERUSER PRINCIPALSPRINCIPALS

31

USERS, PRINCIPALS, SUBJECTS

JOE

JOE.TOP-SECRET

JOE.SECRET

JOE.UNCLASSIFIED

JOE.CONFIDENTIAL

USERUSER PRINCIPALSPRINCIPALS

32

USERS, PRINCIPALS, SUBJECTS

• The Bell-LaPadula star-property is applied not to Joe but rather to Joe's principals

• Similarly, the Brewer-Nash star-property applies not to Alice but to Alice's principals

33

CONCLUSION

• So long as Denning’s axioms are satisfied we will get a lattice-based information flow policy

• One-directional information flow in a lattice can be used for secrecy as well as for integrity but does not solve either problem completely

• To properly understand and enforce Information Security policies we must distinguish between

• policy applied to users, and

• policy applied to principals and subjects

34

REFERENCES

• Ravi Sandhu, "Lattice-Based Access Control Models."

IEEE Computer, November 1993, pages 9-19