Security Policies Security Policy

advertisement

Security Policies

„

„

„

„

Overview

The nature of policies

„

„

What they cover

Policy languages

The nature of mechanisms

„

„

Types

Secure vs . precise

Underlying both

„

Trust

Security Policy

„

„

Policy partitions system states into:

„

„

Authorized (secure)

„

These are states the system can enter

Unauthorized (non-secure)

„

If the system enters any of these states, a breach of security has occurred

Secure system

„

„

Starts in an authorized state

Never enters an unauthorized state

2

1

1

Confidentiality

„

„

„

„

X set of entities, I information

I has confidentiality property with respect to

X if no x ∈ X can obtain information from I

I can be disclosed to others but not to x ∈ X

Example:

„

„

„

X set of students

I final exam answer key

I is confidential with respect to X if no student can obtain final exam answer key

3

Integrity

„

„

„

X set of entities, I information

I has integrity property with respect to X if all x ∈ X trust information in I

Types of integrity:

„

„

„ trust I , its conveyance and protection (data integrity)

I information about origin of something or an identity (origin integrity, authentication)

I resource: means resource functions as it should

(assurance)

4

2

Availability

„

„

„

X set of entities, I resource

I has availability property with respect to X if all x ∈ X can access I

Types of availability:

„

„ traditional: x gets access or not quality of service: promised a level of access (for example, a specific level of bandwidth) and not meet it, even though some access is achieved

5

Question

„

„

„

„

„

Policy disallows cheating

„

Includes copying homework, with or without permission

CS class has students do homework on department computer

Anne forgets to read-protect her homework file

Bill notices this and copies it

Who cheated?

„

Anne, Bill, or both?

6

3

Answer Part 1

„

„

Bill cheated

„

„

„

Policy forbids copying homework assignment

Bill did it

System entered unauthorized state (Bill having a copy of Anne’s assignment)

Department’s responsibility?

„

„

If not explicit in computer security policy, certainly implicit

Not credible that a unit of the university allows something that the university as a whole forbids, unless the unit explicitly says so

7

Answer Part 2

„

„

„

Anne did not protect her homework

„

Not required by security policy

She did not breach security

If policy said students had to readprotect homework files, then Anne did breach security

„

Because she did not do this

8

4

Mechanisms

„

Entity or procedure that enforces some part of the security policy

„

Access controls (set to prevent someone from reading a homework file)

„

Disallowing people from bringing CDs and floppy disks into a computer facility to control what is placed on systems

9

Policy Models

„

„

Abstract description of a policy or class of policies

Focus on points of interest in policies

„

„

„

Confidentiality Policies

„

Security levels in multilevel security models

„

Prohibit direct or indirect information flow

Integrity Policies

„

„

„

Separation of duty in Clark-Wilson model

Restrict who/how data can be modified

Conflict of interest in Chinese Wall model (both conf./int.)

Availability Policies

„ describe what type/level of service must be provided

10

5

Types of Security Policies

„

„

Military (governmental) security policy

„

„

Policy primarily protecting confidentiality

Need to know; US Privacy Act (HIPAA)

Commercial security policy

„

„

While

Policy primarily protecting integrity

Bank account balance

„

„

Confidentiality policy protects only confidentiality

Integrity policy protects only integrity

11

Integrity and Transactions

Some integrity policies use notion of transaction

„

„

Begin in consistent state

„

“Consistent” defined by specification (e.g., database)

Perform series of actions ( transaction )

„

Actions cannot be interrupted

„

„

„

If actions complete, system in consistent state

If actions do not complete, system reverts to beginning (consistent) state

Note: two-phase commitment is not a security mechanism

12

6

Role of Trust

Administrator installs patch

1.

Trusts that patch came from vendor and not tampered with in transit

2.

3.

4.

Trusts vendor tested patch thoroughly

Trusts that vendor’s test environment corresponds to local environment

Trusts patch is installed correctly

13

Trust in Formal Verification

„

„

„

Gives formal mathematical proof that given input output o i , program as specified

P produces

Suppose that a security-related program S is formally verified to work with operating system O

What are the assumptions?

14

7

Trust in Formal Methods

1.

2.

3.

4.

Proof has no errors

Bugs in automated theorem provers

Preconditions hold in environment in which is to be used (same version of OS O )

S

S transformed into executable S ′ whose actions follow source code

„

„

Compiler bugs, linker/loader/library problems

(http://www.acm.org/classics/sep95)

Hardware executes S’ as intended

Hardware bugs (Pentium f00f bug http://www.x86.org/errata/dec97/f00fbug.htm)

15

Types of Access Control

„

„

„

Discretionary Access Control (DAC, IBAC)

„ individual user sets access control mechanism to allow or deny access to an object; based on identity

Mandatory Access Control (MAC)

„ system mechanism controls access to object, and individual cannot alter that access

Originator Controlled Access Control (ORCON)

„

„ originator (creator) of information controls who can access information

Own right not enough to control rights

16

8

Policy Languages

„

„

„

Express security policies in a precise way

High-level languages

„

Policy constraints expressed abstractly

Low-level languages

„

Policy constraints expressed in terms of program options, input, or specific characteristics of entities on system

17

High-Level Policy Languages

„

„

„

Constraints expressed independently of enforcement mechanism

Constraints restrict actions and entities

Constraints expressed unambiguously

„

Requires a precise language, usually a mathematical, logical, or programming-like language; English typically not precise enough

18

9

Example: Web Browser

„

„

„

„

Goal: restrict actions of Java programs that are downloaded and executed under control of web browser

Language specific to Java programs

Expresses constraints as conditions restricting creation of classes and invocation of entities

Independent of enforcement mechanism

19

Expressing Constraints

„

„

„

Entities are classes, methods

„

„

Class: set of objects that an access constraint constrains (e.g., file, socket)

Method: set of ways an operation can be invoked

(e.g., file.read() )

Operations

„

„

Instantiation: s creates instance of class c : s –| c

Invocation: s

1 executes object s

2

: s

1

| → s

2

Access constraints

„

„ deny ( s op x ) when b

While b is true, subject

(subject or class) s cannot perform op on x ; empty s means all subjects

20

10

Sample Constraints

„

„

Downloaded program cannot access password file on

UNIX system

„

Program’s class and methods for files: class File { public file(String name); public String getfilename();

„ public char read();

Constraint: deny ( |-> file.read) when

(file.getfilename() ==

/etc/passwd

)

Program cannot open network connection when 100 connections already exist

„

Constraint: deny ( |- socket) when (network.numconns >= 100)

21

DTEL

domain-type enforcement language

Three components:

„

Assign Types (readable, writable, sysbin, …) to objects

„

„

Assign Domains (user, admin, … ) to subjects

Specify which rights domains have over types

Combines elements of low-level, high-level policy languages

„

„

Implementation-level constructs express constraints in terms of language types (low)

Constructs do not express arguments or inputs to specific system commands (high)

22

11

Example

„

„

„

Goal: users cannot write to system binaries

Subjects in administrative domain can

„

User must authenticate to enter that domain

Subjects belong to domains:

„

„

„

„ d_user d_admin ordinary users administrative users d_login for login processes d_daemon system daemons

23

Types

„

„

Object types:

„

„

„

„

„ t_sysbin executable system files t_readable readable files t_writable t_dte t_generic writable files data used by enforcement mech. (DTEL) data generated from user processes

For example, treat these as partitions

„

In practice, files can be readable and writable; ignore this for the example

24

12

Domain Representation

„

Sequence

„

„

First component is list of programs that start in the domain

Other components describe rights subject in domain has over objects of a type

(crwd->t_writable) means subject can create, read, write, and list (search) any object of type t_writable

25

d_user

Domain

domain d_user =

(/usr/bin/sh,/usr/bin/csh,/usr/bin/k sh),

(crwxd->t_generic),

„

(rxd->t_sysbin),

(crwd->t_writable),

(rd->t_readable, t_dte);

Users can write only objects of type t_writable

, execute only objects of type sysbin

, create only objects of type t_generic and t_writable

, and read and search all

26

13

Low-Level Policy Languages

„

„

Set of inputs or arguments to commands to check or set constraints on system

Low level of abstraction

„

Need details of system, commands

27

Example: X Window System

„

„

UNIX-based X11 Windowing System

Access to X11 display controlled by list

„

List says what hosts allowed, disallowed access

„

„ xhost +groucho -chico

Connections from host groucho allowed

Connections from host chico not allowed

28

14

Example English Policy 4.6

„

„

„

Computer security policy for academic institution

„

„

Institution has multiple campuses, administered from central office

Each campus has its own administration, and unique aspects and needs

Authorized Use Policy

Electronic Mail Policy

29

Types of Mechanisms

secure set of reachable states precise broad set of secure states

30

15

Secure, Precise Mechanisms

„

„

Can one devise a procedure for developing a mechanism that is both secure and precise?

„

„

Consider confidentiality policies only here

Integrity policies produce same result

Program = function with multiple inputs and one output

„ a function inputs i k

∈ p

I

: k

I

1

× ... ×

, 1 ≤

I n

→ R is a program with n k ≤ n , and one output r ∈ R

31

Programs and Postulates

„

„

Observability Postulate : the output of a function encodes all available information about its inputs

„

„

Shared resources could be monitored

Covert channels considered part of the output

Example: authentication function

„

„

„

„

Inputs name, password; output Good or Bad

If name invalid, immediately print Bad; else access database

If time output of Bad, can determine if name valid

This means timing is part of output

32

16

Protection Mechanism

„

„

For a function mechanism is a function for which, when

„

„ m ( i m ( i

1

, ...,

1

, ..., i i p : n

) = n

) ∈ p ( i

E .

i

1 k

I

1

× ... ×

, ...,

I i k

I m : I

, 1 n

) or

≤ n

1

R, a protection

× ... × I n

→ k ≤ n , either

R ∪ E

E is set of outputs that indicate error

„

In above example, E = { “Password Database

Missing”, “Password Database Locked” }

33

Confidentiality Policy

„

„

Confidentiality policy for program which inputs can be revealed p says

„

„

Formally, for c : I

1

× ... × I p n

: I

1

× ... × I n

→ R , it is a function

A , where A ⊆ I

1

× ... ×

A is set of inputs available to observer

I n

Protection mechanism is function

„

„ m : I I → R ∪ E m secure iff ∃ m ´: A → R ∪ E such that, for all i

I k

, 1 ≤

1

× ... × n k ≤ n , m ( i

1

, ..., i n

) = m ´( c ( i m returns values consistent with c

1

, ..., i n

)) k

34

17

Examples

„

„

„ c ( i

„

1

, ..., i n

) = C , a constant

Deny observer any information (output does not vary with inputs) c ( i

„

1

, ..., i n

) = ( i

1

, ..., i n

), and m ´ = m

Allow observer full access to information c ( i

„

1

, ..., i n

) = i

1

Allow observer information about first input but no information about other inputs.

35

Precision

Security policy may be over-restrictive

„

Precision measures how over-restrictive

„

„ m

1

, m

2 distinct protection mechanisms for program p under policy c i m

1 m m

2

( i is as precise as m

2

1

, …, i m i n

) = i

( m

2

≤ p ( i

1

, …, i m n

) ⇒ m m m

1

) if, for all inputs

1

( m i

1

, …, m i i n

) = p ( i i

1

, …,

1

, …, i n

) i n

,

1 more precise than an input ( n

´) and

1

´, …,

2

(

1 i n i

2

( p ( i

1

>

´) such that

´, …, n

´) ≠

1

1

(

2

´, …, i

) if in addition there is

1

´, …, n

´).

i n

´) = p ( i

1

´, …,

36

18

Combining Mechanisms

„

„

„ m m

„

1

, m

2 protection mechanisms

3

= m ∪ m

For inputs on which as p ,

1 m

3 value as does also; otherwise, m

1

2 m

1 and m

2 return same value m

3 returns same

Theorem: if

„

„

≤ m m

3

1

, m and

2 m secure, then

1

≤ m3 m

3 secure

Also, m

1

Follows from definitions of secure, precise, and m

3

37

Existence Theorem

„

For any program there exists a precise, secure mechanism mechanisms p and security policy c , m ≤ m* m * such that, for all secure m associated with p and c ,

„

Maximally precise mechanism

„

„

Ensures security

Minimizes number of denials of legitimate actions

38

19

Lack of Effective Procedure

„

There is no effective procedure that determines a maximally precise, secure mechanism for any policy and program.

Key Points

„

„

„

Policies describe what is allowed

Mechanisms control enforced how policies are

Trust underlies everything

40

39

20

Download