computer security integrity policies

25
06/13/22 1 Computer Security Integrity Policies

Upload: magda

Post on 12-Feb-2016

45 views

Category:

Documents


0 download

DESCRIPTION

Computer Security Integrity Policies. Integrity Policies. Commercial requirement Users should not write their own programs Programmers will develop and test programs on a non production system. - PowerPoint PPT Presentation

TRANSCRIPT

Page 1: Computer Security Integrity Policies

04/22/23 1

Computer SecurityIntegrity Policies

Page 2: Computer Security Integrity Policies

04/22/23 2

Integrity PoliciesCommercial requirement • Users should not write their own programs• Programmers will develop and test programs on a non

production system.• A special process must be followed to install a program from

the development system onto the production system.• This must be controlled and audited.• Managers and auditors must have access to both the

system state and log state.

Page 3: Computer Security Integrity Policies

04/22/23 3

Integrity PoliciesGoals • Separation of duties

– If two or more steps are required to perform a critical function at least two people should perform the steps.

• Separation of function– Developers do not develop new programs on production systems– Developers do not process production data on production systems

• Auditing– Commercial systems emphasize recovery and accountability– Auditing involves analyzing systems to determine what actions took place

and who was involved.

Page 4: Computer Security Integrity Policies

04/22/23 4

Biba Integrity modelBasically a dual of the Bell-LaPadula model.We have a subject set S, an object set O, a set of integrity levels I, and a relation on I.Let i : SO I return the integrity level,Relations • r : ability to read an object• w : ability to write an object• x : ability to execute a subject

Page 5: Computer Security Integrity Policies

04/22/23 5

Information transfer pathA Information transfer path is a sequence of objects

o1, … , on+1

and a corresponding sequence of subjects1, … , sn

such that sj r oj and sj w oj+1 for all i

Page 6: Computer Security Integrity Policies

04/22/23 6

Low-Water-Mark Policy1. s S can write to o O iff i (o) i (s) .2. If s S reads o O then i ’(s)= min(i (s) ,i (o)), where i ’(s) is

the integrity level of s after the read.3. s1 S can execute s2 S iff i (s2) i (s1) .

So • write up is prevented (prevents implant of corrupted data)• Integrity level drops on read access to lower level objects (prevents contaminating the subject: relying on less trustworthy data)• execute up is prevented.

Page 7: Computer Security Integrity Policies

04/22/23 7

Low-Water-Mark PolicyTheorem: If there is an information path from o1 O

to on+1 O , then enforcement of the low-water-mark

policy requires that i (on+1) i (o1) for all i>n.

ProofThe integrity level cannot go up. Proof by induction.

Page 8: Computer Security Integrity Policies

04/22/23 8

Low-Water-Mark PolicyProblemThe integrity level of a subject is non-increasing, resulting in some subjects being eventually unable to access certain objects.

Page 9: Computer Security Integrity Policies

04/22/23 9

Ring PolicyThis ignores indirect modifications and focuses on direct modifications.

• s S can write to o O iff i (o) i (s) .• s S can read any o O.• s1S can execute s2 S iff i (s2) i (s1) .

Difference: Subjects can read any object.

Page 10: Computer Security Integrity Policies

04/22/23 10

Biba’s strict integrity Policy1. s S can write to o O iff i (o) i (s) .2. s S can read o O iff i (s) i (o) .3. s1 S can execute s2 S iff i (s2) i (s 1) .

So • write up is prevented• read down is prevented (prevents relying on less trustworthy data)• execute up is prevented.

Page 11: Computer Security Integrity Policies

04/22/23 11

Lipner’s Integrity Matrix ModelCombines BLP and BibaTwo basic Security levels• Audit Manager (AM): system and management functions• System Low (SL): any process can read info at this level.

Five categories • Development (D)• Production Code (PC)• Production Data (PD)• System Development (SD)• Software Tools (T)

Page 12: Computer Security Integrity Policies

04/22/23 12

Lipner’s Integrity Matrix ModelUsers Clearance levelsOrdinary users (SL, {PC,PD})Application Developers (SL, {D,T})System Programmers (SL, {SD,T})System Managers & Auditors (AM, {D,PC,PD,ST,T})System Controllers (SL, {D,PC,PD,ST,T}) and downgrade privileges.

Objects ClassDevelopment code/test data (SL, {D,T})Production Code (SL, {PC})Production Data (SL, {PC,PD})Software Tools (SL,{T})System Programs (SL, {})System programs in modification(SL,{SD,T})System and Application logs (AM, {appropriate categories})

Page 13: Computer Security Integrity Policies

04/22/23 13

Lipner’s full ModelUsers Security clearance Integrity clearanceOrdinary users (SL, {SP}) (ISL, {IP})Application Developers (SL, {SD}) (ISL,{ID})System Programmers (SL, {SSD}) (ISL,{ID})System Managers & Auditors (AM, {D,PC,PD,ST,T}) (ISL,{IP,ID}) System Controllers (SL, {SP,SD}) & downgrade privileges (ISP,{IP,ID})Repair (SL, {SP}) (ISL,{IP})

Objects Security level Integrity levelDevelopment code/test data (SL, {SD}) (ISL,{IP})Production Code (SL, {SP}) (IO,{IP})Production Data (SL, {SP}) (ISL,{IP})Software Tools (SL,{}) (IO,{ID})System Programs (SL, {}) (ISP,{IP,ID})System programs in modification(SL,{SSD}) (ISL,{ID})System and Application logs (AM, {appropriate categories}) (ISL,{})Repair (SL, {SP}) (ISL,{IP})

Three new integrity classifications: ISP (system program) IO (operational) ISL (system low)Two integrity categories: ID (developers) IP (producers)

Page 14: Computer Security Integrity Policies

04/22/23 14

Lipner’s full Model --- exerciseUsers Security clearance Integrity clearanceOrdinary users (SL, {SP}) (ISL, {IP})Application Developers (SL, {SD}) (ISL,{ID})System Programmers (SL, {SSD}) (ISL,{ID})System Managers & Auditors (AM, {D,PC,PD,ST,T}) (ISL,{IP,ID}) System Controllers (SL, {SP,SD}) & downgrade privileges (ISP,{IP,ID})Repair (SL, {SP}) (ISL,{IP})

Objects Security level Integrity levelDevelopment code/test data (SL, {SD}) (ISL,{IP})Production Code (SL, {SP}) (IO,{IP})Production Data (SL, {SP}) (ISL,{IP})Software Tools (SL,{}) (IO,{ID})System Programs (SL, {}) (ISP,{IP,ID})System programs in modification(SL,{SSD}) (ISL,{ID})System and Application logs (AM, {appropriate categories}) (ISL,{})Repair (SL, {SP}) (ISL,{IP})

For read access: s(subject) s(object) & i(subject) i(object)Controllers do not have read access to development code, or production code For write access: s(subject) s(object) & i(subject) i(object)Controllers do have read access to development code and production code

Who can help the controllers move development code to production code?

Page 15: Computer Security Integrity Policies

04/22/23 15

Reminder:The Bell-LaPadula model

ss-property:(s,o,p) SOP satisfies the ss-property relative to the security level f iff one of the following holds:

a. p = e or p = a b. p = r or p = w and fc(s) dom fo(o).

Also DAC!

Page 16: Computer Security Integrity Policies

04/22/23 16

Reminder: The Bell-LaPadula model

Define b(s: p1,…,pn) to be the set of objects that s has access to.

*-property:For each sS the following hold:

a. b(s:a) ≠ [o b(s:a) [fc(o) dom fc(s)] ] (write-up)b. b(s:w) ≠ [o b(s:w) [fc(o) = fc(s)] ] (equality for read)c. b(s:r) ≠ [o b(s:r) [fc(s) dom fo(o)] ] (read-down)

Also DAC!

Page 17: Computer Security Integrity Policies

04/22/23 17

Lipner’s Integrity Matrix ModelLipner’s model combines Biba and Bell-LaPadula.Bell-LaPadula model:• Simple security property• * property

For example: an ordinary user can execute production code; if he needs to alter production data, the *-property dictates that the data be in (System Low, {Production Code, Production Data}).

Page 18: Computer Security Integrity Policies

04/22/23 18

Lipner’s Integrity Matrix ModelObjects ClassDevelopment code/test data (SL, {D,T})Production code (SL, {PC})Production data (SL, {PC,PD})Software tools (SL, {T})System programs (SL, {})System programs in modification (SL, {SD,T})System and application logs (AM, {appropriate categories})

Logs are append only. By the *-property their class must dominate those of the subjects that write to them

Page 19: Computer Security Integrity Policies

04/22/23 19

The Clark-Wilson (CW) Model

This model addresses data integrity requirements for commercial applications, e.g. bank transactions.Integrity requirements are divided into,• internal consistency: properties of the internal state that can be enforced by the computer system.• external consistency: the relation of the internal state to the real world:

enforced by means outside the system, e.g. auditing.

Page 20: Computer Security Integrity Policies

04/22/23 20

The CW ModelIntegrity is enforced by,• well formed transactions: data items can be manipulated only by a specific set of programs; users have access to programs rather than data items.• separation of duties: users have to collaborate to

manipulate data and collude to penetrate the system.

Page 21: Computer Security Integrity Policies

04/22/23 21

The CW ModelIn the Clark-Wilson model,• Subjects must be identified and authenticated,• Objects can be manipulated only by a restricted set of

programs,• Subjects can execute only a restricted set of programs,• A proper audit log has to be maintained,• The system must be certified to work properly.

Page 22: Computer Security Integrity Policies

04/22/23 22

The CW ModelIn the Clark-Wilson model,• Subjects must be identified and authenticated,• Objects can be manipulated only by a restricted set of

programs,• Subjects can execute only a restricted set of programs,• A proper audit log has to be maintained,• The system must be certified to work properly.

Page 23: Computer Security Integrity Policies

04/22/23 23

The CW ModelIn the Clark-Wilson model• Data items are called Constrained Data Items (CDIs),• Data items not subject to integrity controls are Unconstrained Data Items

(UDIs),• A set of integrity constraints constrain the values CDIs,• CDIs can only be manipulated by Transformation Procedures (TPs)• The integrity of a state is checked by Integrity Verification Procedure (IVPs)

Page 24: Computer Security Integrity Policies

04/22/23 24

The CW ModelSecurity procedures are defined by 5 Certification rules:1. Integrity Verification Procedures must ensure that all Constrained Data

Items are in a valid state when the IVP is run.2. Transformation Procedures must transform valid CDIs into valid CDIs.3. The “allowed” access relations must meet the requirements imposed

by the principle of separation of duty.4. All TPs must write to an append-only CDI log.5. Any TP that takes a UDI as input must either convert it into a CDI or reject it.

Page 25: Computer Security Integrity Policies

04/22/23 25

The CW ModelIntegrity is enforced by the 4 Enforcement rules1. The system must maintain and protect the certified relations:

(TPi:CDIa,CDIb, … ) and ensure that only Transformation Procedures certified to run on a Constrained Data Item manipulate that CDI.

2. The system must maintain and protect the list of entries: (User,TPi:CDIa,CDIb, … ) specifying the TPs that users can execute.

3. The system must authenticate each user requesting to execute a TP.4. Only the certifier of a TP may modify the respective entities associated

with that TP. No certifier of a TP may have execute permission with respect to that entity.