Prof Ravi Sandhu Executive Director and Endowed Chair Lecture 8 raviutsagmailcom wwwprofsandhucom Ravi Sandhu WorldLeading Research with RealWorld Impact CS 5323 2 Dennings Axioms ID: 728480
Download Presentation The PPT/PDF document "1 Mandatory Access Control (MAC)" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
1
Mandatory Access Control (MAC)Prof. Ravi SandhuExecutive Director and Endowed ChairLecture 8ravi.utsa@gmail.comwww.profsandhu.com
© Ravi Sandhu
World-Leading Research with Real-World Impact!
CS 5323Slide2
2
Denning’s AxiomsforInformation Flow © Ravi SandhuWorld-Leading Research with Real-World Impact!Slide3
© Ravi Sandhu
3World-Leading Research with Real-World Impact!Denning’s Axioms< SC, , >SC set of security classesSC X SC flow relation (i.e., can-flow) SC X SC -> SC class-combining operatorSlide4
© Ravi Sandhu
4World-Leading Research with Real-World Impact!Denning’s Axioms< SC, , >SC is finite is a partial order on SC (i.e., reflexive, transitive, anti-symmetric)
SC has a lower bound L such that L
A for all A
SC
is a least upper bound (
lub
) operator on SC
Justification for 1 and 2 is stronger than for 3 and 4.
In
practice we may
have a
partially ordered set (
poset
).Slide5
© Ravi Sandhu
5World-Leading Research with Real-World Impact!Denning’s Axioms ImplySC is a universally bounded latticeThere exists a Greatest Lower Bound (glb) operator (also called meet)There exists a highest security class HSlide6
© Ravi Sandhu
6World-Leading Research with Real-World Impact!Lattice StructuresUnclassifiedConfidentialSecretTop SecretHierarchicalClasses
can-flow
reflexive and transitive edges are implied but not shownSlide7
© Ravi Sandhu
7World-Leading Research with Real-World Impact!Lattice Structures{ARMY, CRYPTO}Compartmentsand Categories{ARMY }{CRYPTO}{}Slide8
© Ravi Sandhu
8World-Leading Research with Real-World Impact!Lattice StructuresCompartmentsand Categories{ARMY, NUCLEAR, CRYPTO}{ARMY, NUCLEAR}{ARMY, CRYPTO}{NUCLEAR, CRYPTO}{ARMY}{NUCLEAR}{CRYPTO}
{}Slide9
© Ravi Sandhu
9World-Leading Research with Real-World Impact!Lattice StructuresHierarchicalClasses withCompartmentsTSS{A,B}{}{A}
{B}
product of 2 lattices is a latticeSlide10
© Ravi Sandhu
10World-Leading Research with Real-World Impact!Lattice StructuresHierarchicalClasses withCompartmentsproduct of 2 lattices is a latticeS,{A,B}{}{A}{B}
S,
S,
S,TS,
{A,B}
{}
{A}
{B}
TS,
TS,
TS,Slide11
Smith’s Lattice
TS-W
S-W
TS
S
C
U
S-L
S-LW
S-A
TS-X
TS-L
TS-K
TS-Y
TS-Q
TS-Z
TS-X
TS-KL
TS-KLX
TS-KY
TS-KQZ
TS-AKLQWXYZ
© Ravi Sandhu
World-Leading Research with Real-World Impact!
11Slide12
© Ravi Sandhu
12World-Leading Research with Real-World Impact!Smith’s LatticeWith large lattices a vanishingly small fraction of the labels will actually be usedSmith's lattice: 4 hierarchical levels, 8 compartmentsnumber of possible labels = 4*2^8 = 1024Only 21 labels are actually used (2%)Consider 16 hierarchical levels, 64 compartments which gives 10^20 labelsSlide13
© Ravi Sandhu
13World-Leading Research with Real-World Impact!Extending a POSET to a Lattice{A}{B}such extensionis always possible
{A,B,C}
{A,B,D}
{A}
{B}
{A,B,C}
{A,B,D}
{A,B,C,D}
{}
{A,B}Slide14
14
BLP ModelforConfidentiality © Ravi SandhuWorld-Leading Research with Real-World Impact!Slide15
© Ravi Sandhu
15World-Leading Research with Real-World Impact!BLP Basic AssumptionsSUB = {S1, S2, ..., Sm}, a fixed set of subjectsOBJ = {O1, O2, ..., On}, a fixed set of objectsR = {r, w}, a fixed set of rightsD, an m×n discretionary access matrix with D[i,j] ⊆ R M, an m×n current access matrix with M[i,j] ⊆ R Slide16
© Ravi Sandhu
16World-Leading Research with Real-World Impact!BLP Model (Liberal -Property)Lattice of confidentiality labels pStatic assignment of confidentiality labels SUB OBJ M, an m n current access matrix withr M[i,j] r D[i,j](Si) (Oj) simple security
w M[i,j]
w D[i,j](Si)
(Oj) liberal -propertySlide17
© Ravi Sandhu
17World-Leading Research with Real-World Impact!BLP Model (Strict -Property)Lattice of confidentiality labels pStatic assignment of confidentiality labels SUB OBJ M, an m n current access matrix withr M[i,j] r D[i,j](Si) (Oj) simple security
w M[i,j]
w D[i,j](Si) = (
Oj) strict -propertySlide18
BLP vis a
vis Lattices© Ravi SandhuWorld-Leading Research with Real-World Impact!18UnclassifiedConfidentialSecretTop Secret
can-flow
dominanceSlide19
BLP vis a
vis Lattices© Ravi SandhuWorld-Leading Research with Real-World Impact!19UnclassifiedConfidentialSecretTop Secret
can-flow
dominance
it is risky to visualize lattices as total orders but it is ok sometimes Slide20
BLP vis a
vis Lattices© Ravi SandhuWorld-Leading Research with Real-World Impact!20can-flowdominanceoften 2 levels suffice to make the main pointH (High)L
(Low)Slide21
© Ravi Sandhu
21World-Leading Research with Real-World Impact!-PropertyApplies to subjects not to usersUsers are trusted (must be trusted) not to disclose secret information outside of the computer systemA user can login (create a subject) with any label dominated by the user’s clearanceSubjects are not trusted because they may have Trojan Horses embedded in the code they execute-property prevents deliberate leakage and does not address inferencecovert channelsSimple-security and -Property do not account for encryptionSlide22
22
Biba ModelforIntegrity © Ravi SandhuWorld-Leading Research with Real-World Impact!Slide23
BLP Revisited
© Ravi SandhuWorld-Leading Research with Real-World Impact!23can-flowdominanceHS (High Secrecy)LS (Low Secrecy)Slide24
Biba Inverted Flow
© Ravi SandhuWorld-Leading Research with Real-World Impact!24can-flowdominanceHI (High Integrity)LI (Low Integrity)Slide25
Biba and BLP Aligned: BLP Style
© Ravi SandhuWorld-Leading Research with Real-World Impact!25can-flowdominanceHS (High Secrecy)LS (Low Secrecy)
LI (Low Integrity)
HI (High Integrity)
One-directional flow is the key pointNo need for opposite directions for
confidentiality and integrity Slide26
Biba and BLP Aligned:
Biba Style© Ravi SandhuWorld-Leading Research with Real-World Impact!26can-flowdominanceLS (Low Secrecy)HS (High Secrecy)
HI (High Integrity)
LI (Low Integrity)
One-directional flow is the key pointNo need for opposite directions for
confidentiality and integrity Slide27
BLP-Biba Unified Lattice: BLP Style
© Ravi SandhuWorld-Leading Research with Real-World Impact!27HSLSLIHI
BLP
BIBA
HS, LI
HS, HI
LS, LI
LS, HI
Unified
can-flow
dominance
Slide28
© Ravi Sandhu
28World-Leading Research with Real-World Impact!BLP versus BibaBLP and Biba are fundamentally equivalent and interchangeableLattice-based access control is a mechanism for enforcing one-way information flow, which can be applied to confidentiality or integrity goalsWe will use the BLP formulation:high confidentiality, low integrity at the toplow confidentiality, high integrity at the bottomSlide29
29
The Chinese Wall LatticeforSeparation of Duty © Ravi SandhuWorld-Leading Research with Real-World Impact!Slide30
© Ravi Sandhu
30World-Leading Research with Real-World Impact!Chinese Wall PolicyA commercial security policy for separation of duty driven confidentialityMixture of free choice (discretionary) and mandatory controlsRequires some kind of dynamic labellingSlide31
© Ravi Sandhu
31World-Leading Research with Real-World Impact!Chinese Wall Policy
COMPANY
DATASETS
INDIVIDUAL
OBJECTS
ALL OBJECTS
CONFLICT OF INTEREST CLASSES
A consultant can access information about at most one company in each conflict of interest classSlide32
© Ravi Sandhu
32World-Leading Research with Real-World Impact!Chinese Wall Example
BANKS
OIL COMPANIESA
B
X
YSlide33
© Ravi Sandhu
33World-Leading Research with Real-World Impact!Chinese Wall LatticeA, -B, --, X-, YA, XA, YB, XB, Y
SYSHIGH
SYSLOWSlide34
34
Conclusion © Ravi SandhuWorld-Leading Research with Real-World Impact!Slide35
© Ravi Sandhu
35World-Leading Research with Real-World Impact!MAC or LBAC or BLP (or Biba)BLP enforces one-directional information flow in a lattice of security labelsBLP can enforce one-directional information flow policies forConfidentialityIntegritySeparation of dutyCombinations thereof
Policy
EnforcementSlide36
36
Covert Channels © Ravi SandhuWorld-Leading Research with Real-World Impact!Slide37
© Ravi Sandhu
37World-Leading Research with Real-World Impact!Covert ChannelsA covert channel is a communication channel based on the use of system resources not normally intended for communication between subjects (processes)Slide38
© Ravi Sandhu
38World-Leading Research with Real-World Impact!Covert ChannelsLow UserHigh Trojan HorseInfected SubjectHigh UserLow Trojan HorseInfected Subject
COVERTCHANNEL
Information is leaked unknown to the high userSlide39
© Ravi Sandhu
39World-Leading Research with Real-World Impact!Covert ChannelsLow UserHigh Trojan HorseInfected SubjectHigh UserLow Trojan HorseInfected Subject
COVERTCHANNEL
Information is leaked unknown to the high user
-property prevents overt leakage of information and does not address covert channelsSlide40
© Ravi Sandhu
40World-Leading Research with Real-World Impact!Side ChannelsUser 2User 1’s SubjectUser 1User 2’s Trojan Horse Infected Subject
SIDECHANNEL
Information is leaked unknown to the User 1Slide41
© Ravi Sandhu
41World-Leading Research with Real-World Impact!Covert Channels versus Side ChannelsCovert channels require a cooperating sender and receiverSide channels do not require a sender but nevertheless information is leaked to a receiverSlide42
© Ravi Sandhu
42World-Leading Research with Real-World Impact!Coping with Covert/Side ChannelsIdentify the channelclose the channel or slow it downdetect attempts to use the channeltolerate its existenceSlide43
© Ravi Sandhu
43World-Leading Research with Real-World Impact!Storage ChannelsAlso known as Resource Exhaustion ChannelsGiven 5GB pool of dynamically allocated memoryHIGH PROCESS (sender)bit = 1 Þ request 5GB of memorybit = 0 Þ request 0GB of memoryLOW PROCESS (receiver)request 5GB of memory if allocated then bit = 0 otherwise bit = 1Slide44
© Ravi Sandhu
44World-Leading Research with Real-World Impact!Timing ChannelsAlso known as Load Sensing ChannelsGiven 5GB pool of dynamically allocated memoryHIGH PROCESS (sender)bit = 1 Þ enter computation intensive loop bit = 0 Þ go to sleepLOW PROCESS (receiver)perform a task with known computational requirementif completed promptly then bit = 0 otherwise bit = 1