CMSC 414
Computer and Network Security
Lecture 11
Jonathan Katz
Announcements
 Midterm
– Closed book, closed notes
– Covers material through today’s lecture
– Everything linked from the course syllabus
 HW2 out
“Capability myths…”
 Equivalence myth: ACLs and capabilities are
“just” two views of the AC matrix
 Confinement myth: Capability systems cannot
enforce confinement
– That is, cannot restrict delegation
 Irrevocability myth: Capabilities cannot be
revoked
Equivalence myth
 ACLs have “arrows” from objects to subjects;
capabilities have “arrows” from subjects to objects
 Capabilities do not require subjects to “know”
object names a priori
 Capabilities do not require subjects to “know”
whether they have authority
– They have authority by virtue of the fact that they have
a capability!
– In contrast, with ACLs how do I obtain a list of all files
I am allowed to read?
Equivalence myth
 Capabilities allow for finer-grained treatment of
subjects
– Processes rather than user accounts
 ACLs potentially require objects to be aware of all
subjects
 Capabilities allow greater flexibility to delegate
permissions
– In ACLs, usually all-or-nothing
– In capability-based systems, can delegate a subset of
the rights you have
Confinement myth
 Myth: Capabilities can be delegated “at will” and
therefore cannot be confined
 But…can be set up so that A can delegate a
capability to B only if A is authorized to pass
capabilities to B
– If B is untrusted, then the latter capability will not exist
Origin of confinement myth
 Mistaken assumption that the ability to write/read
files translates into the ability to read/write
capabilities
– Capabilities should not be viewed as “just” files; they
can be typed by the OS
Revocation
 One solution: indirection
– Capabilities name an entry in a table, rather than the
object itself
– To revoke access to object, invalidate or change the
entry in the table
– Difficult to revoke access of a single user
 Capabilities can also expire with time
 If OS stores capabilities, can delete upon request
– Requires object to recall to whom capabilities given
Advantages of capabilities
 Better at enforcing “principle of least privilege”
– Provide access to minimal resources, to the minimal set
of subjects
– We have seen already that capabilities allow much
finer-grained control over subjects (process-level
instead of user-level)
Advantages…
 Avoiding “confused deputy” problem
– “Deputy” = program managing authorities from
multiple sources
– In the example we have seen, the problem was not the
compiler having the wrong authority, but of exercising
its authority for the wrong purpose
Confused deputy…
 Capabilities give the ability to identify the
authority a subject is using
– Can designate use of the authority for a specific
purpose
 Capabilities also tie together designation and
authority
– Don’t “know” about a resource if you don’t have the
capability to access it!
– Any request to access a resource must include the
necessary authority to do so --- “deputy” can now
examine the context of the request
Disadvantages of capabilities
 Overhead
 Revocation more difficult
 Controlling delegation more difficult
 Making files world-readable more difficult
(impossible?)
Mandatory access control
“Military security policy”
 Primarily concerned with secrecy
 Objects given “classification” (rank;
compartments)
 Subjects given “clearance” (rank; compartments)
 “Need to know” basis
– Subject with clearance (r, C) dominates object with
classification (r’, C’) only if r  r’ and C’  C
– Defines a lattice … classifications/clearance not
necessarily hierarchical
Security models
 Bell-LaPadula model
– Identifies allowable communication flows
– Concerned primarily with ensuring secrecy
 Biba model
– Concerned primarily with “trustworthiness”/integrity
of data
 Chinese wall
– Developed for commercial applications
Bell-LaPadula model
 Simple security condition: S can read O if and
only if lo  ls
 *-property: S can write O if and only if ls  lo
– Why?
 “Read down; write up”
– Information flows upward
Dynamic rights
 Could consider dynamic rights
– Once a process reads a file at one security level, cannot
write to any file at a lower security level
Basic security theorem
 If a system begins in a secure state, and always
preserves the simple security condition and the
*-property, then the system will always remain in
a secure state
– I.e., information never flows down…
Communicating down…
 How to communicate from a higher security level
to a lower one?
– Max. security level vs. current security level
– Maximum security level must always dominate the
current security level
– Reduce security level to write down…
• Security theorem no longer holds
• Must rely on users to be security-conscious
Commercial vs. military systems
 The Bell-LaPadula model does not work well for
commercial systems
– Users given access to data as needed
• Discretionary access control vs. mandatory access control
– Would require large number of categories and
classifications
– Centralized handling of “security clearances”
Biba model
 Concerned with integrity
– “Dual” of Bell-LaPadula model
 The higher the level, the more confidence
– More confidence that a program will act correctly
– More confidence that a subject will act appropriately
– More confidence that data is trustworthy
 Integrity levels may be independent of security
classifications
– Confidentiality vs. trustworthiness
– Information flow vs. information modification
Biba model
 Simple integrity condition: S can read O if and
only if Is  Io
– Is, Io denote the integrity levels
 (Integrity) *-property: S can write O if and only
if Io  Is
– Why?
– The information obtained from a subject cannot be
more trustworthy than the subject itself
 “Read up; write down”
– Information flows downward
Security theorem
 An information transfer path is a sequence of
objects o1, …, on and subjects s1, …, sn-1, such
that, for all i, si can read oi and write to oi+1
– Information can be transferred from o1 to on via a
sequence of read-write operations
 Theorem: If there is an information transfer path
from o1 to on, then I(on)  I(o1)
– Informally: information transfer does not increase the
trustworthiness of the data
 Note: says nothing about secrecy…
“Low-water-mark” policy
 Variation of “pure” Biba model
 If s reads o, then the integrity level of s is changed
to min(Io, Is)
– The subject may be relying on data less trustworthy
than itself
– So, its integrity level is lowered
 Drawback: the integrity level of a subject is non-
increasing!
Chinese wall
 Intended to prevent conflicts of interest
 Rights are dynamically updated based on actions
of the subjects
Chinese wall -- basic setup
Company datasets
Bank A
Bank B
School 1
School 2
School 3
Conflict of interest (CI) class
files
Chinese wall rules
 Subject S is allowed to read from at most one
company dataset in any CI class
– This rule is dynamically updated as accesses occur
– See next slide…
Example
Bank A
Bank B
School 1
School 2
School 3
read
read
Chinese wall rules II
 S can write to O only if
– S can read O and
– All objects that S can read are in the same dataset as O
 This is intended to prevent an indirect flow of
information that would cause a conflict of interest
– E.g., S reads from Bank A and writes to School 1; S’
can read from School 1 and Bank B
– S’ may find out information about Banks A and B!
 Note that S can write to at most one dataset…