session lattice-based access control models ravi sandhu george mason university fairfax, virginia...
TRANSCRIPT
![Page 1: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/1.jpg)
SESSION
LATTICE-BASED ACCESSCONTROL MODELS
Ravi SandhuGeorge Mason University
Fairfax, VirginiaUSA
![Page 2: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/2.jpg)
2
LATTICE-BASED MODELS
• Denning's axioms and lattices• Bell-LaPadula model (BLP) • Integrity and information flow• The Chinese Wall lattice
![Page 3: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/3.jpg)
3
DENNING'S AXIOMS
< SC, , >
SC set of security classes
SC X SC flow relation (i.e., can-flow)
SC X SC -> SC class-combining operator
![Page 4: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/4.jpg)
4
DENNING'S AXIOMS
< SC, , >
1 SC is finite
2 is a partial order on SC
3 SC has a lower bound L such that L A for all A SC
4 is a least upper bound (lub) operator on SC
Justification for 1 and 2 is stronger than for 3 and 4. In practice we may therefore end up with a partially ordered set (poset) rather than a lattice.
![Page 5: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/5.jpg)
5
LATTICE STRUCTURES
{ARMY, NUCLEAR, CRYPTO}
Compartmentsand Categories
{ARMY, NUCLEAR} {ARMY, CRYPTO} {NUCLEAR, CRYPTO}
{ARMY} {NUCLEAR} {CRYPTO}
{}
![Page 6: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/6.jpg)
6
LATTICE STRUCTURES
HierarchicalClasses with
CompartmentsTS
S
{A,B}
{}
{A} {B}
product of 2 lattices is a latticeproduct of 2 lattices is a lattice
![Page 7: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/7.jpg)
7
LATTICE STRUCTURES
HierarchicalClasses with
Compartments
S,
{A,B}
{}
{A} {B}S, S,
S,
TS,
{A,B}
{}
{A} {B}TS, TS,
TS,
![Page 8: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/8.jpg)
SMITH'SLATTICESMITH'SLATTICE
TS-W
S-W
TS
S
C
U
S-L
S-LW
S-A
TS-X
TS-L TS-K TS-Y TS-Q TS-Z TS-X
TS-KL
TS-KLXTS-KY TS-KQZ
TS-AKLQWXYZ
![Page 9: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/9.jpg)
9
SMITH'S LATTICE
• With large lattices a vanishingly small fraction of the labels will actually be used
• Smith's lattice: 4 hierarchical levels, 8 compartments, therefore
number of possible labels = 4*2^8 = 1024
Only 21 labels are actually used (2%)
• Consider 16 hierarchical levels, 64 compartments which gives 10^20 labels
![Page 10: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/10.jpg)
10
EMBEDDING A POSET IN A LATTICE
{A} {B}
such embedding is always possiblesuch embedding is always possible
{A,B,C} {A,B,D}
{A} {B}
{A,B,C} {A,B,D}
{A,B,C,D}
{}
{A,B}
![Page 11: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/11.jpg)
11
BELL LAPADULA (BLP) MODEL
SIMPLE-SECURITYSubject S can read object O only if
• label(S) dominates label(O)
• information can flow from label(O) to label(S)
STAR-PROPERTYSubject S can write object O only if
• label(O) dominates label(S)
• information can flow from label(S) to label(O)
![Page 12: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/12.jpg)
12
BLP MODEL
Unclassified
Confidential
Secret
Top Secret
can-flowdominance
![Page 13: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/13.jpg)
13
DYNAMIC LABELS IN BLP
• Tranquility (most common):SECURE
label is static for subjects and objects
• High water mark on subjects:SECURE label is static for objectslabel may increase but not decrease for subjects
• High water mark on objects:INSECURElabel is static for subjectslabel may increase but not decrease for objects
![Page 14: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/14.jpg)
14
BIBA MODEL
Garbage
Suspicious
Some Integrity
High Integrity
can-flowdominance
![Page 15: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/15.jpg)
15
BIBA MODEL
SIMPLE-INTEGRITYSubject S can read object O only if
• label(O) dominates label(S)
• information can flow from label(O) to label(S)
STAR-PROPERTYSubject S can write object O only if
• label(S) dominates label(O)
• information can flow from label(S) to label(O)
![Page 16: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/16.jpg)
16
EQUIVALENCE OF BLP AND BIBA
HI (High Integrity)
LI (Low Integrity)
BIBA LATTICEBIBA LATTICE EQUIVALENT BLP LATTICEEQUIVALENT BLP LATTICE
LI (Low Integrity)
HI (High Integrity)
![Page 17: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/17.jpg)
17
EQUIVALENCE OF BLP AND BIBA
HS (High Secrecy)
LS (Low Secrecy)
BLP LATTICEBLP LATTICE EQUIVALENT BIBA LATTICEEQUIVALENT BIBA LATTICE
LS (Low Secrecy)
HS (High Secrecy)
![Page 18: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/18.jpg)
18
COMBINATION OF DISTINCT LATTICES
HS
LS
HI
LI
GIVENGIVEN
BLP BIBA
HS, LI
HS, HI LS, LI
LS, HI
EQUIVALENT BLP LATTICEEQUIVALENT BLP LATTICE
![Page 19: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/19.jpg)
19
BLP AND BIBA
• BLP and Biba are fundamentally equivalent and interchangeable
• Lattice-based access control is a mechanism for enforcing one-way information flow, which can be applied to confidentiality or integrity goals
• We will use the BLP formulation with high confidentiality at the top of the lattice, and high integrity at the bottom
![Page 20: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/20.jpg)
LIPNER'SLATTICE
LIPNER'SLATTICE
S: RepairS: Production UsersO: Production Data
S: Application Programmers
O: Development Code and Data
S: System Programmers
O: System Code in Development
O: Repair Code
O: System Programs
O: Production Code O: Tools
S: System ManagersO: Audit Trail
S: System Control
LEGEND
S: SubjectsO: Objects
LEGEND
S: SubjectsO: Objects
![Page 21: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/21.jpg)
21
LIPNER'S LATTICE
• Uses 9 labels from a possible space of 192 labels
• Audit trail is at lowest integrity
• Production users are only allowed to execute production code
• System control subjects are allowed to
• write down (with respect to confidentiality)
or equivalently
• write up (with respect to integrity)
![Page 22: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/22.jpg)
22
CHINESE WALL POLICY
• Example of a commercial security policy for confidentiality
• Mixture of free choice (discretionary) and mandatory controls
• Introduced by Brewer-Nash in Oakland '89
![Page 23: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/23.jpg)
23
CHINESE WALL EXAMPLE
BANKSOIL
COMPANIES
A B X Y
ALL OBJECTS
CONFLICT OF INTEREST CLASSES
COMPANYDATASETS
A consultant can access information about at most one company in each conflict of interest class
A consultant can access information about at most one company in each conflict of interest class
![Page 24: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/24.jpg)
24
READ ACCESS
BREWER-NASH SIMPLE SECURITY
S can read O only if
• O is in the same company dataset as some object previously read by S (i.e., O is within the wall)
or
• O belongs to a conflict of interest class within which S has not read any object (i.e., O is in the open)
![Page 25: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/25.jpg)
25
WRITE ACCESS
BREWER-NASH STAR-PROPERTY
S can write O only if
• S can read O by the simple security rule
and
• no object can be read which is in a different company dataset to the one for which write access is requested
![Page 26: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/26.jpg)
26
REASON FOR BN STAR-PROPERTY
ALICE'S WALL BOB'S WALL
Bank A Bank B
Oil Company X Oil Company X
• cooperating Trojan Horses can transfer Bank A information to Bank B objects, and vice versa, using Oil Company X objects as intermediaries
![Page 27: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/27.jpg)
27
IMPLICATIONS OF BN STAR-PROPERTY
Either
• S cannot write at all
or
• S is limited to reading and writing one company dataset
![Page 28: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/28.jpg)
28
WHY THIS IMPASSE?
Failure to clearly distinguish user labels from subject labels.
![Page 29: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/29.jpg)
29
CHINESE WALL LATTICE
A, - B, --, X -, Y
A, X A, Y B, X B, Y
SYSHIGH
SYSLOW
The high water mark of a user's principal can float up so long as it remain below SYSHIGH
The high water mark of a user's principal can float up so long as it remain below SYSHIGH
![Page 30: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/30.jpg)
30
USERS, PRINCIPALS, SUBJECTS
ALICEALICE.BANK A
ALICE.OIL COMPANY X
ALICE.BANK A & OIL COMPANY X
ALICE.nothing
USERUSER PRINCIPALSPRINCIPALS
![Page 31: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/31.jpg)
31
USERS, PRINCIPALS, SUBJECTS
JOE
JOE.TOP-SECRET
JOE.SECRET
JOE.UNCLASSIFIED
JOE.CONFIDENTIAL
USERUSER PRINCIPALSPRINCIPALS
![Page 32: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/32.jpg)
32
USERS, PRINCIPALS, SUBJECTS
• The Bell-LaPadula star-property is applied not to Joe but rather to Joe's principals
• Similarly, the Brewer-Nash star-property applies not to Alice but to Alice's principals
![Page 33: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/33.jpg)
33
CONCLUSION
• So long as Denning’s axioms are satisfied we will get a lattice-based information flow policy
• One-directional information flow in a lattice can be used for secrecy as well as for integrity but does not solve either problem completely
• To properly understand and enforce Information Security policies we must distinguish between
• policy applied to users, and
• policy applied to principals and subjects
![Page 34: SESSION LATTICE-BASED ACCESS CONTROL MODELS Ravi Sandhu George Mason University Fairfax, Virginia USA](https://reader035.vdocument.in/reader035/viewer/2022062618/5514637a5503462d4e8b5a30/html5/thumbnails/34.jpg)
34
REFERENCES
• Ravi Sandhu, "Lattice-Based Access Control Models."
IEEE Computer, November 1993, pages 9-19