Jonathan Katz


Will be held Oct 21, in class

Will cover everything up to and including the preceding lecture (Oct 16)

Includes all reading posted on the class syllabus!


Send questions to newsgroup if the answer would be of interest to other students

(If you want to reach me, send email)

 “Military security policy” is primarily concerned with confidentiality
– Does not exclude other concerns…
 “Commercial security policy” is primarily concerned with integrity (think: banking industry)
– E.g., consistent transactions
– The question of “trust” is much harder than the question of confidentiality

 Everything rests on certain assumptions…

E.g., sys admin applies patch; has this improved security?
– Assumptions
• Patch was not tampered with
• Patch itself works correctly
• Patch will work correctly in new environment
• Patch installed/configured correctly
• Sys admin trustworthy


Discretionary access control
– User can allow/deny access to objects
– Also called identity-based access control

Mandatory access control
– System-wide mechanism allows/denies access
– E.g., root may have read access to all files
– Also called rule-based access control


Language for representing security policy

High-level policy languages
– Formal specification of policy
– Example: deny(x op x) when b
– E.g., deny(file.read) when (file.getname() =
“/etc/passwd”)


Low-level policy languages
– Explicit system commands that mandate certain policy
– E.g., chmod, xhost

 See book…


Information may be leaked in unexpected ways
– E.g., timing difference between login with incorrect username or incorrect password
– Error messages (e.g., learn filenames)
– Side effects (e.g., values of other variables)
– Printers, monitors, external hardware

These should be taken into account when designing security mechanism/policy


The precision of a mechanism is a measure of how overly-restrictive the mechanism is with respect to the policy
– I.e., due to preventing things that are allowed

Unfortunately, it is impossible (in general) to develop a “maximally-precise” mechanism for an arbitrary policy


Both policies and mechanisms make certain assumptions, and determinations of “trust”
– Important to recognize this
– Occasionally re-think these assumptions


Security classes with linear ordering

Subjects have security clearance

Objects have security classification

Prevent read access to objects with security classification higher than the subject’s security clearance


Can combine Bell-LaPadula model with discretionary access control as well
– Simple security condition: S can read O if and only if l o
 l s and S has discretionary read access to O


What if I have clearance to read a file, but copy it into an unclassified location?
– Potential security breach

*-property
– S can write O if and only if l s discretionary write access to O
 l o and S has
 “Read down; write up”


If a system begins in a secure state, and always preserves the simple security condition and the
*-property, then the system will always remain in a secure state


We can extend the model by adding categories to each security classification
– A category describes a kind of information
– Objects may be in multiple categories; subjects may have access to multiple categories
• May be represented as a lattice
– “Need to know” principle


Each security classification and category form a security level
– Informally, a subject can read an object only if
(1) the subject’s security clearance are at least the security classification of the object; and
(2) the subject’s categories include the categories of the object

 Say (L, C) dominates (L’, C’) if:
– L’  L and C’ 
C

This modifies the simple security condition as follows:
– S can read O if and only if the security level of
S dominates the security level of O (and S has discretionary read access to O)


The *-property is modified as follows:
– S can write to O if and only if the security level of O dominates the security level of S (and S has discretionary write access to O)
– Basic security theorem modified accordingly

Note that if A does not dominate B, this does not imply that B dominates A


How to communicate from a higher security level to a lower one?
– Maximum security level and current security level
– Maximum security level must always dominate the current security level
– Reduce security level to write down…


Does the basic security theorem say anything meaningful?
– Or is it just a tautology?

In any case, the Bell-LaPadula model is useful


Users will not write their own programs
– Will use existing programs and databases

Programs will be written/tested on a nonproduction system

Special process must be followed to install new program on production system


The special installation process is controlled and audited

Auditors must have access to both system state and system logs

 “Separation of duty”
– Basically, have multiple people check any critical functions (e.g., software installation)
 “Separation of function”
– Develop new programs on a separate system

Auditing
– Recovery/accountability


The Bell-LaPadula model does not work as well for commercial systems
– Users given access to data as needed
– Would require large number of categories and classifications
– Decentralized handling of security clearances
– Desire to release some information