cs 556 – computer security spring 2018cs556/lecture-notes/chinese-wall.pdf · dr. indrajit ray,...
TRANSCRIPT
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 1 / 35
CS 556 – Computer Security
Spring 2018
Dr. Indrajit Ray
Email: [email protected]
Department of Computer Science
Colorado State University
Fort Collins, CO 80523, USA
CHINESE WALL MODEL
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 2 / 35
Chinese Wall Policy
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 3 / 35
● Arises in the financial segment of the commercial sector, which
provides consulting services to other companies
● Consultants have to deal with confidential company information
for their clients
● Objective of the Chinese Wall policy is to prevent information
flow that cause conflict of interest for individual consultants
Chinese Wall Policy
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 4 / 35
● Example of a commercial security policy for confidentiality
● Mixture of free choice (discretionary) and mandatory controls
● Requires some kind of dynamic labeling
● Brewer-Nash model (1989) for Chinese Wall policy
✦ Claim that the Chinese Wall policy cannot be represented
correctly by a lattice based model
Chinese Wall Policy
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 5 / 35
IndividualObjects
Conflict of
Interest Classes
CompanyDatasets
All Objects
BANKS Oil Companies
A B X Y
A consultant can accessinformation about at mostone company in each conflict of interest class
BREWER NASH MODEL FOR CHINESE
WALL POLICY
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 6 / 35
BN Simple Security – Read Access
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 7 / 35
● Subject S can read object O only if
✦ Object O is in the same company dataset as some object O′,
previously read by subject S (that is O is within the wall), OR
✦ Object O belongs to a conflict of interest class within which
subject S has not yet read any object (that is O is in the
open)
BN * Property – Write Access
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 8 / 35
● Subject S can write object O only if
✦ Subject S can read object O by the simple security rule,
AND
✦ No object, O′, can be read which is in a different company
dataset to the one for which write access is required
Reason for BN * Property
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 9 / 35
Bank AOil Company X
Bank BOil Company X
Alices’ Wall Bob’s Wall
Cooperating trojan Horses can transfer Bank A information to Bank Bobjects, and vice versa, using Oil Company X objects as intermediaries
BREWER NASH MODEL DISCUSSION
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 10 / 35
Implication of BN * Property
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 11 / 35
● Either
✦ Subject S cannot write at all
● Or
✦ Subject S is limited to reading and writing one company
dataset
Dynamic Aspect of Chinese Wall
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 12 / 35
● A fresh new consultant hire can access information about any
company in the database
✦ Thus he/she can start at any level
● As the new hire advances, he/she acquires more information
✦ With BN model therefore we have to have a different
consultant for every company dataset
Why This Impasse?
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 13 / 35
● Failure to clearly distinguish user labels from subject labels
✦ Users should be trusted
✦ Subjects can contain Trojan Horses so cannot be trusted
Users, Principals and Subjects
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 14 / 35
USER
PRINCIPAL 1
PRINCIPAL 2
PRINCIPAL n
PRINCIPAL 1’sSUBJECTS
PRINCIPAL 1’sSUBJECTS
PRINCIPAL 1’sSUBJECTS
Users, Principals and Subjects
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 15 / 35
● A principal is basically a login session
● A user is essentially a collection of principals
● A subject is basically a process running on behalf of the principal
✦ A principal can be a collection of several subjects
Users, Principals and Subjects
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 16 / 35
Alice.BANK A Alice.OIL COMPANY X
Alice.OIL COMPANY X
Alice.BANK A
Alice.novice
Alice
USER PRINCIPALS
CHINESE WALL POLICY AS INSTANCE OF
LBAC
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 17 / 35
Chinese Wall Lattice
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 18 / 35
● To properly understand and enforce information security policies
we must distinguish between
✦ policy applied to user and
✦ policy applied to pricipals and subjects
● The Brewer-Nash star property should apply to Alice’s pricipals
not to Alice the user
● A lattice implementation of Chinese Wall should allow dynamic
creation of principals rather than dynamic labelling of subjects
Chinese Wall Lattice
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 19 / 35
● We have to define
✦ The set of security classes
✦ The security class combining operator
✦ The can-flow relation
● Achieved with the help of 9 Axioms
Axioms 1 and 2
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 20 / 35
● Axiom 1:
✦ There are “n” conflict of interest classes COI1, COI2, . . .,
COIn
● Axiom 2:
✦ Each conflict of interest class COIi consists of mi companies
■ That is COIi = {1, 2, . . ., mi}
Axiom 3
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 21 / 35
● Labels for Objects
✦ Label each object in the system with the companies from
which it contains information. Obviously an object cannot
contain information from two companies from the same
conflict of interest class
● A security label is an “n” element vector [i1, i2, . . ., in], where
each ik ∈ COIk or ik = ⊥ (null)
✦ LABELS = {[i1, i2, . . ., in] | i1 ∈ COI′1, . . ., in ∈ COI′n, where
COI′1= COI1 ∪ {⊥}, . . ., COI′n = COIn ∪ {⊥}
Axiom 3 – Illustration
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 22 / 35
● Example
✦ Assume 5 different COI classes
✦ An object which contains information only from company #4
in COI3 will be labeled by the vector [⊥, ⊥, 4, ⊥, ⊥]
● Note
✦ A label which has all ⊥ elements corresponds to public
information
Axiom 4
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 23 / 35
● Special label for system high
✦ EXTLABELS = LABELS ∪ {SYSHIGH}
Axiom 5
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 24 / 35
● Dominance relation among labels
✦ Let l j[ik] represent the ikth element of label l j
✦ (∀lp,lq ∈ LABELS)[(lp ≥ lq ⇐⇒ ∀ik = 1, . . ., n (lp[ik] = lq[ik])
∨ (lq[ik] = ⊥)]
✦ That is lp dominates lq provided that lp and lq agree
wherever lq 6= ⊥
Axiom 5 - Examples
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 25 / 35
● [1,3,2] is a label for an object with information from company #1
in COI1, company #3 in COI2 and company #2 in COI3
● [1,3,⊥] is a label for an object with information from company #1
in COI1, company #3 in COI2 and no information from any
company in COI3
● [1,3,2] > [1,3,⊥]
Axiom 5 - More Examples
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 26 / 35
● [1,3,1] > [⊥,⊥,1]
● [⊥,3,⊥] and [⊥,2,⊥] are incomparable (that is none dominates
the other)
Axiom 6
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 27 / 35
● To account for system high
✦ (∀l ∈ EXTLABELS)[SYSHIGH ≥ l]
✦ That is SYSHIGH dominates all other labels
Axiom 7
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 28 / 35
● Compatible labels
✦ lp, lq ∈ LABELS are compatible iff (∀k = 1, . . ., n)[(lp[ik] =lq[ik]) ∨ (lp[ik] = ⊥) ∨ (lq[ik] = ⊥)]
✦ Intuitively information from compatible incomparable classes
can be combined without violating the Chinese Wall policy
Axiom 7 Example
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 29 / 35
● [⊥,3,⊥] and [⊥,2,⊥] are incompatible
✦ They are also incomparable
● [1,⊥,2] and [1,2,⊥] are compatible
✦ They are incomparable, though
● [1,3,1] and [⊥,⊥,1] are compatible
✦ They are also comparable
✦ By definition comparable labels are compatible
Axiom 8
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 30 / 35
● Class combining (or ⊕) operation
✦ Compatible labels are combined as follows – if lp is
compatible with lq then lp ⊕ lq = ls, where
ls[ik] =
{
lp[ik] if lp[ik] 6= ⊥lq[ik] otherwise
Axiom 8 (continued)
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 31 / 35
● Class combining (or ⊕) operation
✦ Incompatible classes are combined as follows – if lp is
incompatible with lq then
lp ⊕ lq = SYSHIGH
✦ If lp ≥ lq then lp ⊕ lq = lp
✦ If lq ≥ lp then lp ⊕ lq = lq
Axiom 8 Example
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 32 / 35
● [1,⊥,2] is compatible with [1,2,⊥]
✦ [1,⊥,2] ⊕ [1,2,⊥] = [1,2,2]
● [1,2,⊥] ≥ [1,⊥,⊥]
✦ [1,2,⊥] ⊕ [1,⊥,⊥] = [1,2,⊥]
Axiom 9
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 33 / 35
● Class combining with respect to SYSHIGH
✦ (∀l ∈ EXTLABELS)[l ⊕ SYSHIGH = SYSHIGH]
Example of a Chinese Wall Lattice
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 34 / 35
[1, 1] [1, 2] [2, 1] [2, 2]
SYSHIGH
[⊥, ⊥]
[1, ⊥] [⊥, 1] [⊥, 2] [2, ⊥]
Assigning Labels to Users
CHINESE WALL
MODEL
BREWER NASH MODEL
FOR CHINESE WALL
POLICY
BREWER NASH MODEL
DISCUSSION
CHINESE WALL
POLICY AS INSTANCE
OF LBAC
Dr. Indrajit Ray, Computer Science Department CS 556 - Computer Security - c© 2018 Colorado State University – 35 / 35
● The label of a user is a high water mark that can float up in the
Chinese Wall lattice starting with [⊥, ⊥, . . ., ⊥]
● With each user a set of principals are associated, one at at each
label dominated by a user’s label
✦ For example if Alice, the user, has a label [1, 2], then Alice
has the following set of principals – Alice.[1, ⊥], Alice.[⊥, 2]
and Alice.[⊥, ⊥]
✦ Alice can log in as any one of these pricipals at any given
time.