MANDATORY FLOW CONTROL MODELS

Vinay Kumar Madhadi

10/28/2009

CSC-8320

Outline

Part 1 : Mandatory Flow Control Models? MAC vs. DAC Information Flow Control Part 2 : Different Models-Lattice & Multi-

Level Recent Studies Part 3 : Future work

Part 1: What is Mandatory Flow Control Model?

The Mandatory Flow Control Models are the subset of computer security models that require access control of all subjects and objects under its control on a system wide basis.

(Chow et al, 1997)

How is it different from Discretionary Security Model and why is it needed?

DISCRETIONARY AC VS MANDATORY AC

DAC MAC

Determined by owner of the object. The owner decides who is allowed to access the object and what privileges they have.

It is discretionary by nature

MAC is an access policy determined by the system. It is used in multi-level systems that process highly sensitive data.

It is non discretionary

Problem with Access Control Matrix Model

Confinement problem: How to determine whether there is any mechanism by which a subject authorized to access an object may leak information contained in that object to some other subjects not authorized to access that object.

Another disadvantage is that no semantics of information in the objects are considered; thus the security sensitivity of an object is hardly expressed by that model.

Security Control should be applied to the information in addition to the subject holding the information

Information Flow Control:

Information Flow control is concerned with how information is propagated from one object to another.

System entities are partitioned into security classes.

The security classes of all entities must be specified explicitly and the class of an entity seldom changes after it has been created( changes sometimes made by the system administration) .

Part 2: Different Models

There are three different models employed

namely:1. Lattice Model2. Bell-LaPadula Model3. Biba Model

Lattice Model

It is the best known information flow control model.

Based upon the concept of a lattice from mathematics.

Lattice is a Directed Acyclic Graph(DAG) with a single source and sink. Information is permitted to flow from a lower class to upper class.

Lattice Model contd..

Flow Properties of lattice

The relation → is reflexive, transitive and anti-symmetric for all A,B,C Ɛ SC.

1. Reflexive: A → A2. Transitive: A → B and B → C implies A → C . 3. Anti-symmetric: A → B and B → A implies A=B In addition, the other two properties of lattice

include

1. Aggregation: A → C and B → C implies A U B → C

2. Separation: A U B → C implies A → C and B → C

Multi-Level Security Models

Multilevel Security is a special case of the lattice-based information flow model.

There are two well-known multilevel security models:

1. The Bell-LaPadula Model

2. The Biba Model

Bell LaPadula Model:

L is a linearly ordered set of security levels C is a lattice of security categories The security class assigned to a subject or an

object includes two components: a hierarchical security level and a nonhierarchical security category.

The security level is called the clearance if applied to subjects, and classification if applied to objects.

Each security category is a set of compartments that represent natural or artificial characteristics of subjects and objects and is used to enforce the need-to-know principle.

Bell-LaPadula Model contd..

The lattice of security classes is L × C. If AB Ɛ F, A dominates B if A’s level is higher than B’s level and B’s category is a subset of A’s category

Security with respect to confidentiality in the Bell-LaPadula model is described by the following two axioms:

Simple security property: Reading information from an object o by a subject s requires that F(s) dominates F(o) ”no read up”).

The *-property: Writing information to an object o by a subject s requires that F(o) dominates F(s).

Biba Model:

In Biba model information can only flow from a higher integrity class to a lower integrity class.

L is a linearly ordered set of integrity levels C is a lattice of integrity categories Integrity levels form a linear lattice in which

each level represents the classification of integrity of information an object can contain or the clearance of a subject for modifying an object.

Integrity categories form a subset lattice and are used to enforce the need-to-have principle.

The lattice of security classes is L × C.

Biba Model Contd..

Security with respect to integrity in the Biba model is

described by the following two axioms:

Simple security property:

Writing information to an object o by a subject s requires that F(s) dominates F(o) (“no write up”).

The*-property:

Reading information from an object o by a subject s requires that F(o) dominates F(s) ( “no read down”).

BLP Model VS Biba Model

BLP Model Biba Model

Emphasizes on information integrity

Subjects that are writing information to an object must have a higher security class than the object.

Objects being read from by a subject must have higher security class than the subject.

Emphasizes on information

confidentiality Subjects reading from

an object must have a higher security class than the object.

Objects being written to by a subject must have higher security class than the subject.

Part 2: Recent Studies

A) INFORMATION FLOW ENHANCED DISCRETIONARY ACCESS CONTROL( IFEDAC):

Generally DAC mechanisms are more user-friendly than Mandatory Access Control (MAC) systems, but are vulnerable to attacks that use Trojan horse or exploit buggy software.

The IFEDAC Model combines the best of both DAC(ease-to-use) and MAC(defense against Trojan horse and buggy problems)

Advantage: Combines the best of DAC and MAC Disadvantage: Can be implemented only on Linux OS.

(Jiang, Ziqing, Chen 2009)

Recent Studies contd..

B) PROTECTING CONFIDENTIALITY AGAINST TROJAN HORSEPROGRAMS IN DAC PROGRAMS:

A modified DAC is proposed with the central idea of separation of management of rights from other activities of user.

The resulting system offers flexibility of DAC and protection of MAC

Advantage: The lack of flexibility of MAC systems is eliminated.

(Adrian, Armin, Hartmut 2008)

Part 3: Future Work

The Mandatory flow Control Models do not solve the Trojan Horse problem completely. If there are any covert channels present, then enforcement of information flow policies will be difficult. Research must be done to develop a type of model which solves this Trojan Horse problem completely even with secret channels present.

A model must be developed which can function on all the operating systems unlike the IEPDA model which can function only on the Linux Machine.

(Jiang, Ziqing, Chen 2009)

Future Work contd..

A new model combining the advantages of discretionary, mandatory and role-based access models must be developed. This should avoid all the shortcomings that these models faced. Research if done in this field will contribute a lot to the field of computer security.

(Sylvia, Qamar, Ravi 2000)

Since newer operating systems keep emerging, it is important to constantly update the models developed so that they function on the latest operating systems too.

Example: Biba Model is implemented in Vista OS

References:

Xuxian Jiang, Mao J., Li., Hong Chen.: Trojan Horse Resistant Discretionary Access Control. In: ACM 2009, pp. 237–246 (2009)

Adrian S., Armin B., Hartmut L.: protecting confidentiality against Trojan Horse Programs in Discretionary Access Control Systems(2008)

Tanenbaum, S., Steen, M.V.: DISTRIBUTED SYSTEMS: Principles and Paradigms, p.2e. Prentice Hall, Inc, Englewood Cliffs (2007)

Alexander Brodsky, Csilla F., Sushil J. ,Database Security— Concepts, Approaches, and Challenges IEEE Transactions on Dependable and Secure Computing-(March 2005)

Yixin Jiang, Chuang Lin, Zhen Chen, Hao Yin 2004 IEEE International Conference on Systems, Man and Cybernetics Security Analysis of Mandatory Access Control Model(2004)

Distributed Systems principles and paradigms by Andrew S. Tanenbaum, Maarten van Steen, (2002)

References:

G. Tel. Introduction to Distributed Algorithms. Cambridge University Press Second Edition, 2000.

Sylvia O., Qamar M., Ravi S..Configuring role-based access control to enforce mandatory and discretionary access control policies , ACM, 85-106 (March 2000)

Distributed Operating Systems & Algorithms, Randy Chow and Theodore Johnson, Addison Wesley, 1997.

THANK YOU