Lattice Based Access Control Models By Reena Cherukuri - PowerPoint PPT Presentation

1 / 41
About This Presentation
Title:

Lattice Based Access Control Models By Reena Cherukuri

Description:

Set : A collection of items which may or may not be related to each other. The members of a ... This is known as tranquility. BLP BASIC ASSUMPTIONS. BLP MODEL ... – PowerPoint PPT presentation

Number of Views:559
Avg rating:5.0/5.0
Slides: 42
Provided by: erc90
Category:

less

Transcript and Presenter's Notes

Title: Lattice Based Access Control Models By Reena Cherukuri


1
Lattice Based Access Control ModelsBy Reena
Cherukuri
2
BASICS
  • Set A collection of items which may or may not
    be related to each other. The members of a set
    are called elements. The symbol for a set is a
    pair of curly brackets, with the elements of the
    set between them A, B, C
  • Cartesian Product The Cartesian product of two
    sets A and B (also called the product set, set
    direct product, or cross product) is defined to
    be the set of all points (a, b) where a ? A and
    b ? B . It is denoted A x B

3
BASICS
  • Relation Let A and B be two sets. A relation
    between A and B is a collection of ordered pairs
    (a, b) such that a ? A and b ? B. Often we use
    the notation a b to indicated that a and b are
    related, rather then the order pair notation (a,
    b).
  • Functions Let A and B be two sets. A function f
    from A to B is a relation between A and B such
    that for each a A there is one and only one
    associated b B. The set A is called the domain
    of the function, B is called its range. Often a
    function is denoted as y f(x) or simply f(x),
    indicating the relation (x, f(x)) .

4
TOPICS
  • Dennings Axioms
  • Military Lattice
  • Bell- LaPadula Model
  • The Biba Model and Duality
  • The Chinese Wall Lattice

5
INTRODUCTION
  • The objective of information security is divided
    into three separate but interrelated areas as
    follows
  • Confidentiality
  • Integrity
  • Availability
  • The Lattice-based access control models were
    developed to deal with information flow in
    computer systems.
  • Information flow is clearly central to
    confidentiality and applies to integrity to some
    extent.

6
INFORMATION FLOW POLICIES
  • Information flow policies are concerned with flow
    of information from one security class to another
  • Information actually flows from one Object to
    another
  • Object can be defined as a container of
    information
  • Information flow is typically controlled by
    assigning every object a security class (
    Objects security label)

7
Denning Axioms
  • The concept of information flow policy was
    formally defined by Denning.
  • Information Flow Policy (Definition 1)
  • It is a triple
  • lt SC, ?, ? gt
  • SC set of security classes
  • ? ? SC X SC flow relation (i.e., can-flow)
  • ? SC X SC -gt SC class-combining operator
  • It is understood that all three components of an
    information flow policy are fixed, and do not
    change with time. Objects can be created and
    destroyed dynamically but security classes cannot
    be created or destroyed dynamically.

8
Denning Axioms
  • Example 1 Isolated Classes SC A1 An for
    i 1n we have Ai ? Ai and Ai ? Ai Ai and
    for i j 1n, i ? j we have Ai !? Aj and Ai ?
    Aj is undefined.
  • The simplest example of a non-trivial information
    flow policy occurs when there are just two
    security classes, called H (for high) and L (for
    low), with all flows allowed excepting that from
    high to low.
  • Example 2 High-Low Policy SC H,L, and ?
    (H,H) (L,L) (L,H). Equivalently, in infix
    notation, H? H, L ? L, L ? H, and H ! ? L. The
    join operator is defined as follows H? H H, L
    ? H H, H ? L H, and L? L L.

9
Denning Axioms
  • Definition 2 (Dennings Axioms)
  • lt SC, ?, ? gt
  • SC is finite
  • ? is a partial order on SC
  • SC has a lower bound L such that L ? A for all A
  • ? is a least upper bound (lub) operator on SC
  • Example 3 Bounded Isolated Classes
    SC A1 . An L ? H L ? L, L ? H, H ? H, and
    for i 1 .n we have L ? Ai, Ai ? Ai, Ai ? H
    for i 1n we have Ai ? Ai Ai, Ai ? H H, and
    Ai ? L Ai and for I, j 1n, i ? j we have Ai
    ? Aj H.

10
Denning Axioms
  • Definition 3 Dominance
  • A B (read as A dominates B) if and only if B ?
    A. The strictly dominates relation gt is defined
    by A gt B if and only if A B and A ? B. We say
    that A and B are comparable if A B or B A
    otherwise A and B are incomparable. The strictly
    dominates relation has the following
    significance if A gt B then A ! ? B but B ? A. In
    other words, A is more sensitive than B.

11
MILITARY LATTICE
12
MILITARY LATTICE
13
Subset Lattice
  • In this policy can-flow is identical to the
    subset relation, dominance is identical to super
    set, and join is the set of union of labels.
    This is called a subset lattice.
  • There are 2n subsets of a set of size n, there
    is an exponential increase in the number of
    security classes as the number of categories
    increase.
  • In the military and government the individual set
    elements ( i.e. A and B) are called categories
    while the security classes (i.e. set of
    categories) are known as compartments.

14
EMBEDDING A PARTIAL ORDER IN A LATTICE
It is always possible to embed a partial order in
a lattice by including additional security
classes.
15
PRODUCT LATTICE
16
PRODUCT LATTICE
17
SMITHS LATTICE
  • It is possible to generate very large lattices.
    In reality a small subset of the entire lattice
    would be used.
  • Smith described a actual lattice based on common
    practice in military.
  • The security classes consist of four linearly
    ordered security levels TS gt S gt C gt U, and 8
    categories A,K,L,Q,W,X,Y,Z corresponding to say
    8 different projects in the system.
  • It has 21 labels from a possible space of
  • 4 28 1028

18
SMITHS LATTICE
19
ACCESS CONTROL MODELS
  • The active entities in a system are usually
    processes executing programs on behalf of users.
  • Information flow between objects and thereby
    between security classes, is carried out by
    processes.
  • There is a potential for information flow from
    every object that a process reads to every object
    that it writes.
  • We assume that programs simply do not have the
    ability to cause information flows contrary to
    given policy.

20
ACCESS CONTROL MODELS
  • To understand the access control and computer
    security, we must first understand the
    distinction between user and subject.
  • User Human being
  • Subject Process in the system.
  • Each authorized human user is known as a unique
    user to the system who can have several subjects
    executing on the users behalf, but each subject
    is associated with only one user.
  • The access rights to subjects to objects in a
    system are conceptually represented by access
    Matrix.
  • The matrix has a row for every subject and a
    column for every object.

21
ACCESS CONTROL MODELS
  • A subject can also be an object in the system
    (e.g. process may have suspend and resume
    operations executed on it by some other process.)
  • In General the subjects are viewed as a subset of
    objects.
  • For Example read ? s, o.
  • For the purpose of access matrix, every user is
    also regarded as a subject in its own rights. The
    subject will retain the access rights of the
    user, even if the user is not engaged in any
    activity in the system.
  • The access matrix is usually sparse and is stored
    in a system using access control list and,
    capabilities, relations, or other data structure
    suitable for efficient storage of a sparse matrix.

22
ACCESS CONTROL MODELS
  • The access matrix is a dynamic entity. The
    individual cells of the access matrix can be
    modified by subjects.
  • For Example own ? s, o
  • The owner of object has complete discretionary
    regarding the access by other subjects to the
    owned object. Such access controls are said to be
    discretionary.
  • Discretionary access controls are inadequate to
    enforce information flow policies.
  • In summary, even if users are trusted not to
    deliberately breach security we have to contend
    Trojan Horses which have been programmed to
    deliberately do so.
  • The solution is to impose mandatory controls
    which cannot be even by passed Trojan Horses.

23
BELL-LAPADULA MODEL
  • The concept of mandatory access controls was
    first formalized by Bell and LA Padula
  • The key idea in BLP is to augment discretionary
    access controls with mandatory access controls,
    so as to ensure the information flow policies.
  • The mandatory access control policy is expressed
    in terms of security labels attached to subjects
    and objects. A label on an object is called a
    security classification, while a label on a user
    is called security clearance.
  • Security labels once assigned to the subjects and
    objects cannot be changed. This is known as
    tranquility.

24
BLP BASIC ASSUMPTIONS
25
BLP MODEL
  • The specific mandatory access rules given in BLP
    are as follows, where ? signifies the security
    label of the indicated subject or object.
  • Simple-Security Property Subject s can read
    object o only if ?(s) ? (o).
  • -Property Subject s can write object o only
    if ?(s) ?(o). (The -property is pronounced as
    the star-property.)

26
STAR-PROPERTY
  • Applies to subjects not to users
  • Users are trusted (must be trusted) not to
    disclose secret information outside of the
    computer system
  • Subjects are not trusted because they may have
    Trojan Horses embedded in the code they execute
  • Star-property prevents overt leakage of
    information and does not address the covert
    channel problem

27
BLP MODEL
28
BLP MODEL
  • Unfortunately, the mandatory controls do not
    solve the Trojan Horse problem completely.
  • Covert Channels present a formidable problem for
    enforcement of information flow policies.
  • They are difficult to detect and once detected
    are difficult to close without incurring
    significant performance penalties.
  • Covert Channels do tend to be noisy due to
    interference.

29
BIBA MODEL
  • Formulated for the purpose of integrity.
  • The basic concept of BIBA model is that
    low-integrity information should not be allowed
    to flow to high-integrity objects, whereas the
    opposite is acceptable.
  • In Biba Model the high integrity is placed
    towards the top of the lattice of security labels
    and low integrity to bottom.
  • The information flow is from top to bottom.

30
BIBA MODEL
  • Simple-Integrity Property Subject s can read
    object o only if ?(s) ?(o).
  • Integrity -Property Subject s can write object
    o only if ?(s) ?(o).
  • These properties are called the duals of the
    corresponding properties of BLP.
  • BIBA and BLP models can be combined in situations
    where both confidentiality and integrity are
    concerned.

31
COMPOSITE MODEL
  • The combined mandatory controls are as follows
  • Subject s can read object o only if ?(s) ?(o)
    and ?(s) ?(o).
  • Subject s can write object o only if ?(s) ?(o)
    and ?(s) ?(o).
  • It is a popular model and has been implemented in
    several OS, database and network products.
  • It is the simultaneous application of two
    lattices, in which the information flow occurs in
    opposite direction.

32
Composite Model
33
EQUIVALENCE OF BLP AND BIBA
  • Information flow in the Biba model is from top to
    bottom
  • Information flow in the BLP model is from bottom
    to top
  • Since top and bottom are relative terms, the two
    models are fundamentally equivalent and
    interchangeable
  • Lattice-based access control is a mechanism for
    enforcing one-way information flow, which can be
    applied to confidentiality or integrity goals
  • We will use the BLP formulation with high
    confidentiality at the top of the lattice, and
    high integrity at the bottom

34
EQUIVALENCE OF BLP AND BIBA
35
EQUIVALENCE OF BLP AND BIBA
36
COMBINATION OF DISTINCT LATTICES
37
Chinese Walls
  • Access Control model for the financial
    segment of the commercial sector.
  • Prevention of Information Flow which cause
    Conflicts of Interest (COI) for individual
    consultants.
  • Access Rule Subject (S) can access Object (O)
    only if
  • O is in the same company Data Set as some
    Object previously read by S.
  • O belongs to a COI class within which S has
    not read any Object.

38
Chinese Walls
39
Chinese Walls
  • A newly enrolled user in the system is
    assigned the clearance ? ?. (This assumes that
    the user is entering the system with a clean
    slate.
  • A user who has had prior exposure to company
    information in some other system should enter
    with an appropriate clearance reflecting the
    extent of this prior exposure.
  • As the user reads various company information
    the user's clearance floats up in the lattice.

40
Questions and Suggestions!!!!!
41
THANK YOU
Write a Comment
User Comments (0)
About PowerShow.com