Overview
The nature of policies
What they cover
Policy languages
The nature of mechanisms
Types
Secure vs . precise
Underlying both
Trust
Policy partitions system states into:
Authorized (secure)
These are states the system can enter
Unauthorized (non-secure)
If the system enters any of these states, a breach of security has occurred
Secure system
Starts in an authorized state
Never enters an unauthorized state
2
1
1
X set of entities, I information
I has confidentiality property with respect to
X if no x ∈ X can obtain information from I
I can be disclosed to others but not to x ∈ X
Example:
X set of students
I final exam answer key
I is confidential with respect to X if no student can obtain final exam answer key
3
X set of entities, I information
I has integrity property with respect to X if all x ∈ X trust information in I
Types of integrity:
trust I , its conveyance and protection (data integrity)
I information about origin of something or an identity (origin integrity, authentication)
I resource: means resource functions as it should
(assurance)
4
2
X set of entities, I resource
I has availability property with respect to X if all x ∈ X can access I
Types of availability:
traditional: x gets access or not quality of service: promised a level of access (for example, a specific level of bandwidth) and not meet it, even though some access is achieved
5
Policy disallows cheating
Includes copying homework, with or without permission
CS class has students do homework on department computer
Anne forgets to read-protect her homework file
Bill notices this and copies it
Who cheated?
Anne, Bill, or both?
6
3
Bill cheated
Policy forbids copying homework assignment
Bill did it
System entered unauthorized state (Bill having a copy of Anne’s assignment)
Department’s responsibility?
If not explicit in computer security policy, certainly implicit
Not credible that a unit of the university allows something that the university as a whole forbids, unless the unit explicitly says so
7
Anne did not protect her homework
Not required by security policy
She did not breach security
If policy said students had to readprotect homework files, then Anne did breach security
Because she did not do this
8
4
Entity or procedure that enforces some part of the security policy
Access controls (set to prevent someone from reading a homework file)
Disallowing people from bringing CDs and floppy disks into a computer facility to control what is placed on systems
9
Abstract description of a policy or class of policies
Focus on points of interest in policies
Confidentiality Policies
Security levels in multilevel security models
Prohibit direct or indirect information flow
Integrity Policies
Separation of duty in Clark-Wilson model
Restrict who/how data can be modified
Conflict of interest in Chinese Wall model (both conf./int.)
Availability Policies
describe what type/level of service must be provided
10
5
Military (governmental) security policy
Policy primarily protecting confidentiality
Need to know; US Privacy Act (HIPAA)
Commercial security policy
While
Policy primarily protecting integrity
Bank account balance
Confidentiality policy protects only confidentiality
Integrity policy protects only integrity
11
Some integrity policies use notion of transaction
Begin in consistent state
“Consistent” defined by specification (e.g., database)
Perform series of actions ( transaction )
Actions cannot be interrupted
If actions complete, system in consistent state
If actions do not complete, system reverts to beginning (consistent) state
Note: two-phase commitment is not a security mechanism
12
6
Administrator installs patch
1.
Trusts that patch came from vendor and not tampered with in transit
2.
3.
4.
Trusts vendor tested patch thoroughly
Trusts that vendor’s test environment corresponds to local environment
Trusts patch is installed correctly
13
Gives formal mathematical proof that given input output o i , program as specified
P produces
Suppose that a security-related program S is formally verified to work with operating system O
What are the assumptions?
14
7
1.
2.
3.
4.
Proof has no errors
•
Bugs in automated theorem provers
Preconditions hold in environment in which is to be used (same version of OS O )
S
S transformed into executable S ′ whose actions follow source code
Compiler bugs, linker/loader/library problems
(http://www.acm.org/classics/sep95)
Hardware executes S’ as intended
Hardware bugs (Pentium f00f bug http://www.x86.org/errata/dec97/f00fbug.htm)
15
Discretionary Access Control (DAC, IBAC)
individual user sets access control mechanism to allow or deny access to an object; based on identity
Mandatory Access Control (MAC)
system mechanism controls access to object, and individual cannot alter that access
Originator Controlled Access Control (ORCON)
originator (creator) of information controls who can access information
Own right not enough to control rights
16
8
Express security policies in a precise way
High-level languages
Policy constraints expressed abstractly
Low-level languages
Policy constraints expressed in terms of program options, input, or specific characteristics of entities on system
17
Constraints expressed independently of enforcement mechanism
Constraints restrict actions and entities
Constraints expressed unambiguously
Requires a precise language, usually a mathematical, logical, or programming-like language; English typically not precise enough
18
9
Goal: restrict actions of Java programs that are downloaded and executed under control of web browser
Language specific to Java programs
Expresses constraints as conditions restricting creation of classes and invocation of entities
Independent of enforcement mechanism
19
Entities are classes, methods
Class: set of objects that an access constraint constrains (e.g., file, socket)
Method: set of ways an operation can be invoked
(e.g., file.read() )
Operations
Instantiation: s creates instance of class c : s –| c
Invocation: s
1 executes object s
2
: s
1
| → s
2
Access constraints
deny ( s op x ) when b
While b is true, subject
(subject or class) s cannot perform op on x ; empty s means all subjects
20
10
Downloaded program cannot access password file on
UNIX system
Program’s class and methods for files: class File { public file(String name); public String getfilename();
public char read();
Constraint: deny ( |-> file.read) when
(file.getfilename() ==
“
/etc/passwd
”
)
Program cannot open network connection when 100 connections already exist
Constraint: deny ( |- socket) when (network.numconns >= 100)
21
domain-type enforcement language
Three components:
Assign Types (readable, writable, sysbin, …) to objects
Assign Domains (user, admin, … ) to subjects
Specify which rights domains have over types
Combines elements of low-level, high-level policy languages
Implementation-level constructs express constraints in terms of language types (low)
Constructs do not express arguments or inputs to specific system commands (high)
22
11
Goal: users cannot write to system binaries
Subjects in administrative domain can
User must authenticate to enter that domain
Subjects belong to domains:
d_user d_admin ordinary users administrative users d_login for login processes d_daemon system daemons
23
Object types:
t_sysbin executable system files t_readable readable files t_writable t_dte t_generic writable files data used by enforcement mech. (DTEL) data generated from user processes
For example, treat these as partitions
In practice, files can be readable and writable; ignore this for the example
24
12
Sequence
First component is list of programs that start in the domain
Other components describe rights subject in domain has over objects of a type
(crwd->t_writable) means subject can create, read, write, and list (search) any object of type t_writable
25
domain d_user =
(/usr/bin/sh,/usr/bin/csh,/usr/bin/k sh),
(crwxd->t_generic),
(rxd->t_sysbin),
(crwd->t_writable),
(rd->t_readable, t_dte);
Users can write only objects of type t_writable
, execute only objects of type sysbin
, create only objects of type t_generic and t_writable
, and read and search all
26
13
Set of inputs or arguments to commands to check or set constraints on system
Low level of abstraction
Need details of system, commands
27
UNIX-based X11 Windowing System
Access to X11 display controlled by list
List says what hosts allowed, disallowed access
xhost +groucho -chico
Connections from host groucho allowed
Connections from host chico not allowed
28
14
Computer security policy for academic institution
Institution has multiple campuses, administered from central office
Each campus has its own administration, and unique aspects and needs
Authorized Use Policy
Electronic Mail Policy
29
secure set of reachable states precise broad set of secure states
30
15
Can one devise a procedure for developing a mechanism that is both secure and precise?
Consider confidentiality policies only here
Integrity policies produce same result
Program = function with multiple inputs and one output
a function inputs i k
∈ p
I
: k
I
1
× ... ×
, 1 ≤
I n
→ R is a program with n k ≤ n , and one output r ∈ R
31
Observability Postulate : the output of a function encodes all available information about its inputs
Shared resources could be monitored
Covert channels considered part of the output
Example: authentication function
Inputs name, password; output Good or Bad
If name invalid, immediately print Bad; else access database
If time output of Bad, can determine if name valid
This means timing is part of output
32
16
For a function mechanism is a function for which, when
m ( i m ( i
1
, ...,
1
, ..., i i p : n
) = n
) ∈ p ( i
E .
i
1 k
I
1
∈
× ... ×
, ...,
I i k
I m : I
, 1 n
) or
≤ n
→
1
R, a protection
× ... × I n
→ k ≤ n , either
R ∪ E
E is set of outputs that indicate error
In above example, E = { “Password Database
Missing”, “Password Database Locked” }
33
Confidentiality policy for program which inputs can be revealed p says
Formally, for c : I
1
× ... × I p n
: I
→
1
× ... × I n
→ R , it is a function
A , where A ⊆ I
1
× ... ×
A is set of inputs available to observer
I n
Protection mechanism is function
m : I I → R ∪ E m secure iff ∃ m ´: A → R ∪ E such that, for all i
I k
, 1 ≤
1
× ... × n k ≤ n , m ( i
1
, ..., i n
) = m ´( c ( i m returns values consistent with c
1
, ..., i n
)) k
∈
34
17
c ( i
1
, ..., i n
) = C , a constant
Deny observer any information (output does not vary with inputs) c ( i
1
, ..., i n
) = ( i
1
, ..., i n
), and m ´ = m
Allow observer full access to information c ( i
1
, ..., i n
) = i
1
Allow observer information about first input but no information about other inputs.
35
Security policy may be over-restrictive
Precision measures how over-restrictive
m
1
, m
2 distinct protection mechanisms for program p under policy c i m
1 m m
2
( i is as precise as m
2
1
, …, i m i n
) = i
( m
2
≤ p ( i
1
, …, i m n
) ⇒ m m m
1
) if, for all inputs
1
( m i
1
, …, m i i n
) = p ( i i
1
, …,
1
, …, i n
) i n
,
1 more precise than an input ( n
´) and
1
´, …,
2
(
1 i n i
2
( p ( i
1
>
´) such that
´, …, n
´) ≠
1
1
(
2
´, …, i
) if in addition there is
1
´, …, n
´).
i n
´) = p ( i
1
´, …,
36
18
m m
1
, m
2 protection mechanisms
3
= m ∪ m
For inputs on which as p ,
1 m
3 value as does also; otherwise, m
1
2 m
1 and m
2 return same value m
3 returns same
Theorem: if
≤ m m
3
1
, m and
2 m secure, then
1
≤ m3 m
3 secure
Also, m
1
Follows from definitions of secure, precise, and m
3
37
For any program there exists a precise, secure mechanism mechanisms p and security policy c , m ≤ m* m * such that, for all secure m associated with p and c ,
Maximally precise mechanism
Ensures security
Minimizes number of denials of legitimate actions
38
19
There is no effective procedure that determines a maximally precise, secure mechanism for any policy and program.
Policies describe what is allowed
Mechanisms control enforced how policies are
Trust underlies everything
40
39
20