1 fm and security-overview fm formal security models based on slides prepared by a. jones and y....
Post on 21-Dec-2015
215 views
TRANSCRIPT
![Page 1: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/1.jpg)
1FM and Security-Overview
FMFM
FM
Formal Security Models
Based on Slides prepared by A. Jones and Y. Lin.
Material based on C. Landwehr paper
![Page 2: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/2.jpg)
2FM and Security-Overview
FMFM
FM
Why Formal Models?
Regulations are generally descriptive rather than prescriptive, so they don’t tell you how to implement
Systems must be securesecurity must be demonstrable --> proofstherefore, formal security models
![Page 3: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/3.jpg)
3FM and Security-Overview
FMFM
FM
Military Security
Classification levelsunclassifiedclassified: confidential, secret, top secret
Compartmentstopic specific
Clearance - ability to access a certain level/compartment of sensitive information
![Page 4: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/4.jpg)
4FM and Security-Overview
FMFM
FM
Formal Models - Basic Concepts
Finite state machine modelthis structure is the basis for all models in
this paper Lattice model Access matrix model Security kernel (small enough for verification)
Information-flow model
![Page 5: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/5.jpg)
5FM and Security-Overview
FMFM
FM
Lattice Model (for military application)
Sensitivity levels a, b Compartments c, d
(a,c) >= (b,d) iff a >= b and c contains d Implies greatest lower bound -- (unclass, no
compartments least upper bound -- (top secret, all
compartments)
![Page 6: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/6.jpg)
6FM and Security-Overview
FMFM
FM
Access Matrix Model
Three principal components: object, subject, rules
Access matrix (subject X object)read, write, append, and execute
Reference monitor - checks each access Two approaches
capability list (row-wise)access control list (column-wise)
![Page 7: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/7.jpg)
7FM and Security-Overview
FMFM
FM
Access Matrix
Objects
Subjects O1 O2 O3 O4 S1 S2 …
S1 r r r rx kill kill
S2 rwx
S3 r rx rx
S4 r r
…
![Page 8: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/8.jpg)
8FM and Security-Overview
FMFM
FM
Take-Grant Model
Use graphs to model access control Access right: read, write, take, grant Each directed arc represents a capability
arc from one object to anotherlabeled with access right
Compact representation of sparse access matrix
![Page 9: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/9.jpg)
9FM and Security-Overview
FMFM
FM
Take-Grant Model (cont)
Set of rules for rewriting graphE.g. take rule: A has take right to B, then A
can acquire all rights to any object that B has Rules control deletion & creation of arcs, objects
![Page 10: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/10.jpg)
take read,grant
take read,grant
read,grant
A
A
B
B
C
C
![Page 11: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/11.jpg)
grant
write
A B
C
grant
write
A B
C
write
![Page 12: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/12.jpg)
12FM and Security-Overview
FMFM
FM
Take Grant Model (cont)
Question asked of model: given initial graph plus rules, can A ever get right R to object X?
I.e. question of graph transformation Undecidable for general graphs But decidable for specific graphs & rules Defined predicates: “can know”, “can tell”, “ can
steal”
![Page 13: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/13.jpg)
13FM and Security-Overview
FMFM
FM
Bell & LaPadula Model
Captures military classification Use finite state machine Formally define a state to be secure, then
consider transitions (that maintain security) Uses subjects & objects of access matrix Adds military security
subject has clearance & current class.n leveleach object has a classification
![Page 14: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/14.jpg)
14FM and Security-Overview
FMFM
FM
Bell & LaPadula Model (cont)
Four modes of accessread-only, append, execute, and read-write
Ownership -- owner can pass access modes to owned object to other subjects
Core of operating system is a monitor (security kernel) that checks all accesses
Minimum code; prove its properties In practice, it is difficult to isolate all security-
relevant functions to a small kernel
![Page 15: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/15.jpg)
15FM and Security-Overview
FMFM
FM
Bell & LaPadula Model(cont’d)
Properties for a state to be securesimple security property (restricts “reading up”)the star-property (prohibits “writing down”)
Tranquility principleno operation may change the classification of
an active object
![Page 16: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/16.jpg)
16FM and Security-Overview
FMFM
FM
Bell and LaPadula Model(cont’d)
Rules of transition: create object, change security level, rescind access, give access, etc
Trusted subjectsnot to compromise security even if some
accesses violate the star-property “Flat” set of objects
atomic objects, each with a single classificationno hierarchy
![Page 17: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/17.jpg)
17FM and Security-Overview
FMFM
FM
Problems of B-L Model
Static representation is restrictive Although hierarchies of objects are added in
later version, no corresponding appropriate set of axioms
No clear guidance to determine trusted processes
In practice, declassification is a problem
![Page 18: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/18.jpg)
18FM and Security-Overview
FMFM
FM
Problems of B-L Model(cont’d)
Allow information to be transmitted improperly through control variables (storage channels)
Their final forms don’t contain storage channels, but timing channels can exist
Many operations that are in fact secure will be disallowed by the model
![Page 19: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/19.jpg)
19FM and Security-Overview
FMFM
FM
Focus on operations that transfer information between objects
Five componentsobjects -- hold informationprocesses -- active agentssecurity classes -- disjoint classes of
informationflow relation -- given 2 classes, determine if
information is allowed to flow from one to other
Information-Flow Model
![Page 20: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/20.jpg)
20FM and Security-Overview
FMFM
FM
Information-Flow Model(cont’d)
Flow relation forms a lattice Information flow (x->y)
explicit -- opn.s causing flow are independent of value of x, e.g. assignment operation, x=y
implicit -- conditional assignment (if x then y=z)
A program is secure if it does not specify any information flows that violate the given flow relation
![Page 21: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/21.jpg)
21FM and Security-Overview
FMFM
FM
Information-Flow Model(cont’d)
Program is secure if it does not specify any information flows that violate the given flow relation
Consider static binding vs dynamic binding
![Page 22: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/22.jpg)
22FM and Security-Overview
FMFM
FM Programs as Channels for Information Transmission
Each of the models views a program as a medium for information transmission
Key questionwhat information is conveyed by the
execution of a program?what deductions about protected
information are possible?
![Page 23: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/23.jpg)
23FM and Security-Overview
FMFM
FM Programs as Channels for Information Transmission(cont’d)
Filters (Jones and Lipton)views policy as function that maps from input
domain of program to some subset of that domain
protection mechanism as a filter that assures that policy is followed
![Page 24: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/24.jpg)
24FM and Security-Overview
FMFM
FM
Discussion and Conclusion
Each model defines its own world and its own concept of security in that world
Appropriateness of a particular model depends on the application for which it is to be used
![Page 25: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/25.jpg)
25FM and Security-Overview
FMFM
FM
Discussion & Conclusion(cont’d)
Common problem: an operation is either secure or notnot helpful in making trade-offs between
security and performancenot true in the physical world, e.g. “safes’
Formal verification or security properties of systems is an active research topic
Most assume a security kernel
![Page 26: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/26.jpg)
26FM and Security-Overview
FMFM
FM
Discussion & Conclusion(cont’d)
Models can be divided into three groupscontrolling direct access to objectsinformation flows among objectsan observer’s ability to make inference
Formal models of computer security are needed in order to ask or answer whether a computer system is secure
![Page 27: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/27.jpg)
27FM and Security-Overview
FMFM
FM
Relevant Specification Languages
Based on materials from
I. Cervesato, NRL
![Page 28: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/28.jpg)
28FM and Security-Overview
FMFM
FM
Languages to Specify What?
Message flow
Message constituents
Operating environment
Protocol goals
![Page 29: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/29.jpg)
29FM and Security-Overview
FMFM
FM
Desirable Properties
Unambiguous
Simple
Flexible Adapts to protocols
Powerful Applies to a wide class of protocols
Insightful Gives insight about protocols
![Page 30: 1 FM and Security-Overview FM Formal Security Models Based on Slides prepared by A. Jones and Y. Lin. Material based on C. Landwehr paper](https://reader030.vdocuments.site/reader030/viewer/2022032522/56649d6a5503460f94a48853/html5/thumbnails/30.jpg)
30FM and Security-Overview
FMFM
FM
Language Families
“Usual notation” (user interfaces)
Knowledge logic BAN
Process theory Spi-calculus Strands MSR FDR, Casper Petri nets
Inductive methods
Temporal logic Automata
CAPSL NRL Protocol
Analyzer Mur
… Why so many? Experience from mature fields Unifying problem Scientifically intriguing Funding opportunities
Convergence of approaches