Download Trusted Computing - Integrated Computer Security - Lecture Slides and more Slides Computer Security in PDF only on Docsity!
Lecture 19
Trusted Computing and Multilevel Security
Computer Security Models
- two fundamental computer security facts:
- all complex software systems have eventually revealed flaws or bugs that need to be fixed
- it is extraordinarily difficult to build computer hardware/software not vulnerable to security attacks
- problems involved both design and
implementation
- led to development of formal security models
Bell-LaPadula (BLP) Model
- formal model for access control
- subjects and objects are assigned a security class
- a subject has a security clearance
- an object has a security classification
- form a hierarchy and are referred to as security levels - top secret > secret > confidential > restricted >unclassified
- security classes control the manner by which a subject may access an object
BLP Model Access Modes
- READ
- the subject is allowed only read access to the object
- APPEND
- the subject is allowed only write access to the object
- WRITE
- the subject is allowed both read and write access to the object
- EXECUTE
- the subject is allowed neither read nor write access to the object but may invoke the object for execution
Multi-Level Security
- no read up
- subject can only read an object of less or equal security level
- referred to as the simple security property
- no write down
- a subject can only write into an object of greater or equal security level
- referred to as the *-property
7
? AC
Multi-Level Security
BLP Formal Description
- based on current state of system (b, M, f, H):
- current access set b : triples of (s, o, a)
- subject s has current access to object o in access mode a
- access matrix M : matrix of M (^) ij
- access modes of subject S (^) i to access object Oj
- level function f : security level of subjects and objects
- fo ( Oj ) is the classification level of object Oj
- fs ( S (^) i ) is the security clearance of subject S (^) i
- fc ( S (^) i ) is the current security level of subject S (^) i
- hierarchy H : a directed rooted tree of objects
BLP Formal Description
- three BLP properties:
- ss-property: ∀ (Si , Oj, read) has fc (Si) ≥ fo (Oj)
- *-property: ∀ (S (^) i , Oj, append) has fc (Si) ≤ fo (Oj) and ∀ (S (^) i , Oj, write) has fc (Si ) = fo (Oj)
- ds-property: current (Si , Oj, A (^) x ) implies A (^) x ∈ M[S (^) i Oj]
- BLP gives formal theorems
- theoretically possible to prove system is secure
- in practice usually not possible
BLP Rules
1 •^ get access
2 •^ release access
3 •^ change object level
4 •^ change current level
5 •^ give access permission
6 •^ rescind access permission
7 •^ create an object
8 •^ delete a group of objects
BLP
Example
*-property
16
BLP
Example
“ downgrade ” in a controlled and monitored manner “ classification creep ”: information from a range of sources and levels
“ covert channels ”: (untrusted) low classified executable data allowed to be executed by a high clearance (trusted) subject
Confidentiality or Integrity
Biba Integrity Model
- strict integrity policy:
- Modify : To write or update information in an object
- Observe : To read information in an object
- Execute : To execute an object
- Invoke : Communication from one subject to another
- simple integrity: I(S) ≥ I(O)
- integrity confinement: I(S) ≤ I(O)
- invocation property: I(S1) ≥ I(S2)
Clark-Wilson Integrity Model
- Principal components of the model
- Constrained data items (CDIs)
- Subject to strict integrity controls
- Unconstrained data items (UDIs)
- Integrity verification procedures (IVPs):
- Intended to assure that all CDIs conform to some application-specific model of integrity and consistency
- Transformation procedures (TPs):
- System transactions that change the set of CDIs from one consistent state to another (^) Docsity.com 19
Clark-Wilson Integrity Model