![Page 1: Chapter 5 – Designing Trusted Operating Systems. In this section What is a trusted system? Security Policy Military Commercial Clark-Wilson Separation](https://reader038.vdocument.in/reader038/viewer/2022110405/56649ee65503460f94bf5dd5/html5/thumbnails/1.jpg)
Chapter 5 – Designing Trusted Operating Systems
![Page 2: Chapter 5 – Designing Trusted Operating Systems. In this section What is a trusted system? Security Policy Military Commercial Clark-Wilson Separation](https://reader038.vdocument.in/reader038/viewer/2022110405/56649ee65503460f94bf5dd5/html5/thumbnails/2.jpg)
In this sectionWhat is a trusted system?Security Policy
MilitaryCommercialClark-WilsonSeparation of Duty Chinese Wall
ModelsLattice ModelBell-La PadulaBibaGraham-DenningTake-Grant
![Page 3: Chapter 5 – Designing Trusted Operating Systems. In this section What is a trusted system? Security Policy Military Commercial Clark-Wilson Separation](https://reader038.vdocument.in/reader038/viewer/2022110405/56649ee65503460f94bf5dd5/html5/thumbnails/3.jpg)
Designing Trusted OSPrimary security in computing systemsPrimary Security
MemoryFileObjects/Access ControlUser Authentication
Trusted – We are confident that services are provided consistently and effectively
![Page 4: Chapter 5 – Designing Trusted Operating Systems. In this section What is a trusted system? Security Policy Military Commercial Clark-Wilson Separation](https://reader038.vdocument.in/reader038/viewer/2022110405/56649ee65503460f94bf5dd5/html5/thumbnails/4.jpg)
Making of a trusted OSPolicy – requirements statement of what is
should doModel – model of the environment to be
secured; represents the policy to be enforcedDesign – the means of implementation;
functionality and construction Trust – assurance of meeting expectation
through the features offered
![Page 5: Chapter 5 – Designing Trusted Operating Systems. In this section What is a trusted system? Security Policy Military Commercial Clark-Wilson Separation](https://reader038.vdocument.in/reader038/viewer/2022110405/56649ee65503460f94bf5dd5/html5/thumbnails/5.jpg)
What is a trusted system?What makes something secure?
For how long?Trusted Software – rigorously developed and
analyzedKey Characteristics of Trusted Software:
Functional CorrectnessEnforcement of Integrity Limited PrivilegeAppropriate Confidence Level
We speak in terms of trusted and not secure
![Page 6: Chapter 5 – Designing Trusted Operating Systems. In this section What is a trusted system? Security Policy Military Commercial Clark-Wilson Separation](https://reader038.vdocument.in/reader038/viewer/2022110405/56649ee65503460f94bf5dd5/html5/thumbnails/6.jpg)
Many types of Trust:Trusted ProcessTrusted ProductTrusted SoftwareTrusted Computing BaseTrusted System
Through:Enforcement of Security PolicySufficiency of Measures and MechanismEvaluation
![Page 7: Chapter 5 – Designing Trusted Operating Systems. In this section What is a trusted system? Security Policy Military Commercial Clark-Wilson Separation](https://reader038.vdocument.in/reader038/viewer/2022110405/56649ee65503460f94bf5dd5/html5/thumbnails/7.jpg)
Security PolicySecurity Policy – statement of the security we
expect the system to enforceA trusted system can be trusted only in
relation to its security policy…. To the security needs the system expected to satisfy
![Page 8: Chapter 5 – Designing Trusted Operating Systems. In this section What is a trusted system? Security Policy Military Commercial Clark-Wilson Separation](https://reader038.vdocument.in/reader038/viewer/2022110405/56649ee65503460f94bf5dd5/html5/thumbnails/8.jpg)
Military Security PolicyBasis of many OS security policiesBased on protecting classified informationTop Secret (most sensitive), Secret,
Confidential, Restricted, Unclassified (least sensitive)
Limited by the Need-to-Know rule: Access is allowed only to subjects who need to know data to perform job.
Compartments- classification information may be associated with one or more projects describing the subject matter of the information
![Page 9: Chapter 5 – Designing Trusted Operating Systems. In this section What is a trusted system? Security Policy Military Commercial Clark-Wilson Separation](https://reader038.vdocument.in/reader038/viewer/2022110405/56649ee65503460f94bf5dd5/html5/thumbnails/9.jpg)
![Page 10: Chapter 5 – Designing Trusted Operating Systems. In this section What is a trusted system? Security Policy Military Commercial Clark-Wilson Separation](https://reader038.vdocument.in/reader038/viewer/2022110405/56649ee65503460f94bf5dd5/html5/thumbnails/10.jpg)
![Page 11: Chapter 5 – Designing Trusted Operating Systems. In this section What is a trusted system? Security Policy Military Commercial Clark-Wilson Separation](https://reader038.vdocument.in/reader038/viewer/2022110405/56649ee65503460f94bf5dd5/html5/thumbnails/11.jpg)
Classification - <rank; compartments>This enforces need-to-know both by security level
and by topicClearance – person is trusted to access
information up to a given level of sensitivity with need-to-know
Dominance, on a set of Objects (0) and Subjects (s)s ≤ o if and only if
rank(s) ≤ rank (0) and compartments (s) ⊆ compartments(0)
We say 0 dominates s (or s is dominated by o)Dominance is used to limit the sensitivity and
content of information a subject can accessAs subject can read an object only if:
clearance level of the subject is at least as high as the information
Subject has a need-to-know about all compartments for which the information is classified
![Page 12: Chapter 5 – Designing Trusted Operating Systems. In this section What is a trusted system? Security Policy Military Commercial Clark-Wilson Separation](https://reader038.vdocument.in/reader038/viewer/2022110405/56649ee65503460f94bf5dd5/html5/thumbnails/12.jpg)
Commercial Security PoliciesWorried about espionageDegrees of sensitivity:
PublicProprietary Internal
No dominance function for most commercial policies since no formal clearance is needed
Integrity and availability are just, not if more, important than confidentiality
![Page 13: Chapter 5 – Designing Trusted Operating Systems. In this section What is a trusted system? Security Policy Military Commercial Clark-Wilson Separation](https://reader038.vdocument.in/reader038/viewer/2022110405/56649ee65503460f94bf5dd5/html5/thumbnails/13.jpg)
Clark-Wilson Commercial Security PolicyThis is based on IntegrityPolicy on well-formed transactionsSequence of activities Performing steps in order, performing exactly
the steps listed, and authentication of individuals in the steps (well-formed transactions)
Goal: maintain consistency between internal data and external (users’) expectation of data
Constrained data items which are processed by transformation procedures
![Page 14: Chapter 5 – Designing Trusted Operating Systems. In this section What is a trusted system? Security Policy Military Commercial Clark-Wilson Separation](https://reader038.vdocument.in/reader038/viewer/2022110405/56649ee65503460f94bf5dd5/html5/thumbnails/14.jpg)
Separation of Duty The required division of responsibilities is
called separation of dutyAccomplished manually by means of dual
signatures
![Page 15: Chapter 5 – Designing Trusted Operating Systems. In this section What is a trusted system? Security Policy Military Commercial Clark-Wilson Separation](https://reader038.vdocument.in/reader038/viewer/2022110405/56649ee65503460f94bf5dd5/html5/thumbnails/15.jpg)
Chinese Wall Security PolicyUsed in legal, medical, investment and
accounting firmsAddresses the conflict of interestSecurity Policy Builds on:
Objects – low levelCompany Groups – mid levelConflict Classes – high level, groups of objects
of competing companies are clusterd
![Page 16: Chapter 5 – Designing Trusted Operating Systems. In this section What is a trusted system? Security Policy Military Commercial Clark-Wilson Separation](https://reader038.vdocument.in/reader038/viewer/2022110405/56649ee65503460f94bf5dd5/html5/thumbnails/16.jpg)
![Page 17: Chapter 5 – Designing Trusted Operating Systems. In this section What is a trusted system? Security Policy Military Commercial Clark-Wilson Separation](https://reader038.vdocument.in/reader038/viewer/2022110405/56649ee65503460f94bf5dd5/html5/thumbnails/17.jpg)
Models of SecuritySecurity Models are used to:
Test a particular policy for completeness and consistency
Document policyHelp conceptualize and design an
implementationCheck whether an implementation meets its
requirementsPolicy is established outside any modelModel is only a mechanism that enforces the
policy
![Page 18: Chapter 5 – Designing Trusted Operating Systems. In this section What is a trusted system? Security Policy Military Commercial Clark-Wilson Separation](https://reader038.vdocument.in/reader038/viewer/2022110405/56649ee65503460f94bf5dd5/html5/thumbnails/18.jpg)
Multilevel Security Build a model to represent a range of
sensitivities and to reflect the need to separate subjects rigorously from objects to which they should not have access
The generalized model is called the Lattice Model of Security
![Page 19: Chapter 5 – Designing Trusted Operating Systems. In this section What is a trusted system? Security Policy Military Commercial Clark-Wilson Separation](https://reader038.vdocument.in/reader038/viewer/2022110405/56649ee65503460f94bf5dd5/html5/thumbnails/19.jpg)
Bell-La Padula Confidentiality ModelFormal description of allowable paths of flow in a
secure systemFormalization of the military security policyTwo properties:
Simple Security Property – A subject s may have read access to object o only if C(o) ≤ C(s)
*-Property – A subject s who has read access to an object o may have write access to an object p only if C(o) ≤ C(p)
C(s) – clearance; c(0) classificationWrite-down – high level subjects transfers high
level data to a low level object (prevented by star property)
![Page 20: Chapter 5 – Designing Trusted Operating Systems. In this section What is a trusted system? Security Policy Military Commercial Clark-Wilson Separation](https://reader038.vdocument.in/reader038/viewer/2022110405/56649ee65503460f94bf5dd5/html5/thumbnails/20.jpg)
Figure 5-7 Secure Flow of Information.
![Page 21: Chapter 5 – Designing Trusted Operating Systems. In this section What is a trusted system? Security Policy Military Commercial Clark-Wilson Separation](https://reader038.vdocument.in/reader038/viewer/2022110405/56649ee65503460f94bf5dd5/html5/thumbnails/21.jpg)
Biba Integrity ModelBell-La Padula model applies only to secrecy Biba is about Integrity and defines integrity
levelsProperties:
Simple Integrity Property – Subject s can modify (have write access to) object o only if I(s) ≥ I(o)
*-Property – if subject s has read access to object o with integrity level I(0), s can have write access to object p only if I(o) ≥ I(p) [write-down]
Totally ignores secrecy
![Page 22: Chapter 5 – Designing Trusted Operating Systems. In this section What is a trusted system? Security Policy Military Commercial Clark-Wilson Separation](https://reader038.vdocument.in/reader038/viewer/2022110405/56649ee65503460f94bf5dd5/html5/thumbnails/22.jpg)
Graham-Denning ModelFormal System of Protection RulesAccess Control Mechanism (matrix) of a
protection systemEight Privative Protection Rights
Create object, Create subject, Delete object and Delete subject
Read AccessGrant AccessDelete Access RightTransfer Access Right
Matrix: A[s,o]
![Page 23: Chapter 5 – Designing Trusted Operating Systems. In this section What is a trusted system? Security Policy Military Commercial Clark-Wilson Separation](https://reader038.vdocument.in/reader038/viewer/2022110405/56649ee65503460f94bf5dd5/html5/thumbnails/23.jpg)
Take-Grant SystemsFour primitives: create, revoke, take and
grant