Chapter 5 – Designing Trusted Operating Systems

In this sectionWhat is a trusted system?Security Policy

MilitaryCommercialClark-WilsonSeparation of Duty Chinese Wall

ModelsLattice ModelBell-La PadulaBibaGraham-DenningTake-Grant

Designing Trusted OSPrimary security in computing systemsPrimary Security

MemoryFileObjects/Access ControlUser Authentication

Trusted – We are confident that services are provided consistently and effectively

Making of a trusted OSPolicy – requirements statement of what is

should doModel – model of the environment to be

secured; represents the policy to be enforcedDesign – the means of implementation;

functionality and construction Trust – assurance of meeting expectation

through the features offered

What is a trusted system?What makes something secure?

For how long?Trusted Software – rigorously developed and

analyzedKey Characteristics of Trusted Software:

Functional CorrectnessEnforcement of Integrity Limited PrivilegeAppropriate Confidence Level

We speak in terms of trusted and not secure

Many types of Trust:Trusted ProcessTrusted ProductTrusted SoftwareTrusted Computing BaseTrusted System

Through:Enforcement of Security PolicySufficiency of Measures and MechanismEvaluation

Security PolicySecurity Policy – statement of the security we

expect the system to enforceA trusted system can be trusted only in

relation to its security policy…. To the security needs the system expected to satisfy

Military Security PolicyBasis of many OS security policiesBased on protecting classified informationTop Secret (most sensitive), Secret,

Confidential, Restricted, Unclassified (least sensitive)

Limited by the Need-to-Know rule: Access is allowed only to subjects who need to know data to perform job.

Compartments- classification information may be associated with one or more projects describing the subject matter of the information

Classification - <rank; compartments>This enforces need-to-know both by security level

and by topicClearance – person is trusted to access

information up to a given level of sensitivity with need-to-know

Dominance, on a set of Objects (0) and Subjects (s)s ≤ o if and only if

rank(s) ≤ rank (0) and compartments (s) ⊆ compartments(0)

We say 0 dominates s (or s is dominated by o)Dominance is used to limit the sensitivity and

content of information a subject can accessAs subject can read an object only if:

clearance level of the subject is at least as high as the information

Subject has a need-to-know about all compartments for which the information is classified

Commercial Security PoliciesWorried about espionageDegrees of sensitivity:

PublicProprietary Internal

No dominance function for most commercial policies since no formal clearance is needed

Integrity and availability are just, not if more, important than confidentiality

Clark-Wilson Commercial Security PolicyThis is based on IntegrityPolicy on well-formed transactionsSequence of activities Performing steps in order, performing exactly

the steps listed, and authentication of individuals in the steps (well-formed transactions)

Goal: maintain consistency between internal data and external (users’) expectation of data

Constrained data items which are processed by transformation procedures

Separation of Duty The required division of responsibilities is

called separation of dutyAccomplished manually by means of dual

signatures

Chinese Wall Security PolicyUsed in legal, medical, investment and

accounting firmsAddresses the conflict of interestSecurity Policy Builds on:

Objects – low levelCompany Groups – mid levelConflict Classes – high level, groups of objects

of competing companies are clusterd

Models of SecuritySecurity Models are used to:

Test a particular policy for completeness and consistency

Document policyHelp conceptualize and design an

implementationCheck whether an implementation meets its

requirementsPolicy is established outside any modelModel is only a mechanism that enforces the

policy

Multilevel Security Build a model to represent a range of

sensitivities and to reflect the need to separate subjects rigorously from objects to which they should not have access

The generalized model is called the Lattice Model of Security

Bell-La Padula Confidentiality ModelFormal description of allowable paths of flow in a

secure systemFormalization of the military security policyTwo properties:

Simple Security Property – A subject s may have read access to object o only if C(o) ≤ C(s)

*-Property – A subject s who has read access to an object o may have write access to an object p only if C(o) ≤ C(p)

C(s) – clearance; c(0) classificationWrite-down – high level subjects transfers high

level data to a low level object (prevented by star property)

Figure 5-7  Secure Flow of Information.

Biba Integrity ModelBell-La Padula model applies only to secrecy Biba is about Integrity and defines integrity

levelsProperties:

Simple Integrity Property – Subject s can modify (have write access to) object o only if I(s) ≥ I(o)

*-Property – if subject s has read access to object o with integrity level I(0), s can have write access to object p only if I(o) ≥ I(p) [write-down]

Totally ignores secrecy

Graham-Denning ModelFormal System of Protection RulesAccess Control Mechanism (matrix) of a

protection systemEight Privative Protection Rights

Create object, Create subject, Delete object and Delete subject

Read AccessGrant AccessDelete Access RightTransfer Access Right

Matrix: A[s,o]

Take-Grant SystemsFour primitives: create, revoke, take and

grant