CMSC 414Computer and Network SecurityLecture 14.ppt

CMSC 414Computer and Network SecurityLecture 14 Jonathan Katz Announcement 400-level lecture series, Oct. 20-22, 4:45-6, in CSIC 3117 “Military security policy” Primarily concerned with secrecy Objects given “classification” (rank; compartments) Subjects given “clearance” (rank; compartments) “Need to know” basis Subject with clearance (r, C) dominates object with classification (r’, C’) only if r’ ≤ r and C’ ? C Defines a partial order … classifications/clearance not necessarily hierarchical Security models Multilevel security Bell-LaPadula model Identifies allowable communication flows Concerned primarily with ensuring secrecy Biba model Concerned primarily with “trustworthiness”/integrity of data Multilateral security Chinese wall Developed for commercial applications Bell-LaPadula model Simple security condition: S can read O if and only if lo ? ls *-property: S can write O if and only if ls ? lo Why? “Read down; write up” Information flows upward Why? Trojan horse Even with the right intentions, could be dangerous… Basic security theorem If a system begins in a secure state, and always preserves the simple security condition and the *-property, then the system will always remain in a secure state I.e., information never flows down… Communicating down… How to communicate from a higher security level to a lower one? Max. security level vs. current security level Maximum security level must always dominate the current security level Reduce security level to write down… Security theorem no longer holds Must rely on users to be security-conscious Commercial vs. military systems The Bell-LaPadula model does not work well for commercial systems Users given access to data as needed Discretionary access control vs. mandatory access control Would require large number of categories and classifications Centralized handling of “security clearances” Biba model Concerned with integrity “Dual” of Bell-LaPadula model The higher the level, the more confidence More confiden