Chapter 5 – Designing Trusted Operating Systems In this section What is a trusted system? Security Policy Military Commercial Clark-Wilson Separation of Duty Chinese Wall Models Lattice Model Bell-La Padula Biba Graham-Denning Take-Grant Designing Trusted OS Primary security in computing systems Primary Security Memory File Objects/Access Control User Authentication Trusted – We are confident that services are provided consistently and effectively Making of a trusted OS Policy – requirements statement of what is should do Model – model of the environment to be secured; represents the policy to be enforced Design – the means of implementation; functionality and construction Trust – assurance of meeting expectation through the features offered What is a trusted system? What makes something secure? For how long? Trusted Software – rigorously developed and analyzed Key Characteristics of Trusted Software: Functional Correctness Enforcement of Integrity Limited Privilege Appropriate Confidence Level We speak in terms of trusted and not secure Many types of Trust: Trusted Process Trusted Product Trusted Software Trusted Computing Base Trusted System Through: Enforcement of Security Policy Sufficiency of Measures and Mechanism Evaluation Security Policy Security Policy – statement of the security we expect the system to enforce A trusted system can be trusted only in relation to its security policy…. To the security needs the system expected to satisfy Military Security Policy Basis of many OS security policies Based on protecting classified information Top Secret (most sensitive), Secret, Confidential, Restricted, Unclassified (least sensitive) Limited by the Need-to-Know rule: Access is allowed only to subjects who need to know data to perform job. Compartments- classification information may be associated with one or more projects describing the subject matter of the information Classification - <rank; compartments> This enforces need-to-know both by security level and by topic Clearance – person is trusted to access information up to a given level of sensitivity with need-to-know Dominance, on a set of Objects (0) and Subjects (s) s ≤ o if and only if rank(s) ≤ rank (0) and compartments (s) ⊆ compartments(0) We say 0 dominates s (or s is dominated by o) Dominance is used to limit the sensitivity and content of information a subject can access As subject can read an object only if: clearance level of the subject is at least as high as the information Subject has a need-to-know about all compartments for which the information is classified Commercial Security Policies Worried about espionage Degrees of sensitivity: Public Proprietary Internal No dominance function for most commercial policies since no formal clearance is needed Integrity and availability are just, not if more, important than confidentiality Clark-Wilson Commercial Security Policy This is based on Integrity Policy on well-formed transactions Sequence of activities Performing steps in order, performing exactly the steps listed, and authentication of individuals in the steps (well-formed transactions) Goal: maintain consistency between internal data and external (users’) expectation of data Constrained data items which are processed by transformation procedures Separation of Duty The required division of responsibilities is called separation of duty Accomplished manually by means of dual signatures Chinese Wall Security Policy Used in legal, medical, investment and accounting firms Addresses the conflict of interest Security Policy Builds on: Objects – low level Company Groups – mid level Conflict Classes – high level, groups of objects of competing companies are clusterd Models of Security Security Models are used to: Test a particular policy for completeness and consistency Document policy Help conceptualize and design an implementation Check whether an implementation meets its requirements Policy is established outside any model Model is only a mechanism that enforces the policy Multilevel Security Build a model to represent a range of sensitivities and to reflect the need to separate subjects rigorously from objects to which they should not have access The generalized model is called the Lattice Model of Security Bell-La Padula Confidentiality Model Formal description of allowable paths of flow in a secure system Formalization of the military security policy Two properties: Simple Security Property – A subject s may have read access to object o only if C(o) ≤ C(s) *-Property – A subject s who has read access to an object o may have write access to an object p only if C(o) ≤ C(p) C(s) – clearance; c(0) classification Write-down – high level subjects transfers high level data to a low level object (prevented by star property) Figure 5-7 Secure Flow of Information. Biba Integrity Model Bell-La Padula model applies only to secrecy Biba is about Integrity and defines integrity levels Properties: Simple Integrity Property – Subject s can modify (have write access to) object o only if I(s) ≥ I(o) *-Property – if subject s has read access to object o with integrity level I(0), s can have write access to object p only if I(o) ≥ I(p) [write-down] Totally ignores secrecy Graham-Denning Model Formal System of Protection Rules Access Control Mechanism (matrix) of a protection system Eight Privative Protection Rights Create object, Create subject, Delete object and Delete subject Read Access Grant Access Delete Access Right Transfer Access Right Matrix: A[s,o] Take-Grant Systems Four primitives: create, revoke, take and grant