Computer Security Integrity Policies

1
Computer SecurityIntegrity Policies
2
Integrity Policies

• Commercial requirement
• Users should not write their own programs
• Programmers will develop and test programs on a
  non production system.
• A special process must be followed to install a
  program from the development system onto the
  production system.
• This must be controlled and audited.
• Managers and auditors must have access to both
  the system state and log state.

3
Integrity Policies

• Goals
• Separation of duties
• Separation of function developers and testers.
• Auditing recovery and accountability

4
Biba Integrity model

• Basically a dual of the Bell-LaPadula model.
• We have a subject set S, an object set O, a set
  of
• integrity levels I, and a relation ? on I.
• Let i S?O? I return the integrity level,
• Relations
• r ability to read an object
• w ability to write an object
• x ability to execute a subject

5
Information transfer path

• A Information transfer path is a sequence of
• objects
• o1, , on1
• and a corresponding sequence of subject
• s1, , sn
• such that sj r oj and sj w oj1 for all i

6
Low-Water-Mark Policy

• s? S can write to o? O iff i (o) ? i (s) .
• If s? S reads o? O then i (s) min(i (s) ,i
  (o)), where i (s) is the integrity level of s
  after the read.
• s1? S can execute s2? S iff i (s2) ? i (s1) .
• So
• write up is prevented (prevents implant of
  corrupted data)
• Integrity level drops on read access to lower
  level objects
• (prevents contaminating the subject relying
  on less trustworthy
• data)
• execute up is prevented.

7
Low-Water-Mark Policy

• Theorem If there is an information path from o1?
  O
• to on1? O , then enforcement of the
  low-water-mark
• policy requires that i (on1) ? i (o1) for all
  igtn.
• Proof
• The integrity level cannot go up. Proof by
  induction.

8
Low-Water-Mark Policy

• Problem
• The integrity level of a subject is
  non-increasing,
• resulting in some subjects being eventually
  unable to
• access certain objects.

9
Ring Policy

• This ignores indirect modifications and
• focuses on direct modifications.
• s? S can write to o? O iff i (o) ? i (s) .
• s? S can read any o? O.
• s1?S can execute s2? S iff i (s2) ? i (s1) .
• Difference Subjects can read any object.

10
Bibas strict integrity Policy

• s? S can write to o? O iff i (o) ? i (s) .
• s? S can read o? O iff i (s) ? i (o) .
• s1? S can execute s2? S iff i (s2) ? i (s 1) .
• So
• write up is prevented
• read down is prevented (prevents relying on less
  trustworthy data)
• execute up is prevented.

11
Lipners Integrity Matrix Model

• Basic Security levels
• Audit Manager (AM) system and management
  functions
• System Low (SL) any process can read info at
  this level.
• Categories
• Development (D)
• Production Code (PC)
• Production Data (PD)
• System Development (SD)
• Software Tools

12
Lipners Integrity Matrix Model

• Users
  Clearance levels
• Ordinary users (SL,
  PC,PD)
• Application Developers (SL, D,T)
• System Programmers (SL, SD,T)
• System Managers Auditors (AM, D,PC,PD,ST,T)
• System Controllers (SL,
  D,PC,PD,ST,T) and
• 
  downgrade privileges.

13
ReminderThe Bell-LaPadula model

• ss-property
• (s,o,p) ?S?O?P satisfies the ss-property relative
  
• to the security level f iff one of the following
  holds
• p e or p a
• p r or p w and fc(s) dom fo(o).

Also DAC!
14
Reminder The Bell-LaPadula model

• Define b(s p1,,pn) to be the set of objects
  that s
• has access to.
• -property
• For each s?S the following hold
• b(sa) ?? ? ?o? b(sa) fc(o) dom fc(s)
  (write-up)
• b(sw) ?? ? ?o? b(sw) fc(o) fc(s)
  (equality for read)
• b(sr) ?? ? ?o? b(sr) fc(s) dom fo(o)
  (read-down)

Also DAC!
15
Lipners Integrity Matrix Model

• Lipners model combines Biba and Bell-LaPadula.
• Bell-LaPadula model
• Simple security condition
• property
• For example
• an ordinary user can execute production code if
  he needs to
• alter production data, the -property dictates
  that the data
• be in (System Low, Production Code, Production
  Data).

16
Lipners Integrity Matrix Model

• Objects
  Class
• Development code/test data (SL, D,T)
• Production code (SL,
  PC)
• Production data (SL,
  PC,PD)
• Software tools (SL,
  T)
• System programs (SL,
  ?)
• System programs in modification (SL, SD,T)
• System and application logs (AM,
  appropriate categories)
• Logs are append only. By the -property their
  class must dominate
• those of the subjects that write to them

17
The Clark-Wilson (CW) Model

• This model addresses data integrity requirements
  for
• commercial applications, e.g. bank transactions.
• Integrity requirements are divided into,
• internal consistency properties of the internal
  state that can be enforced by the computer
  system.
• external consistency the relation of the
  internal state to the real world enforced by
  means outside the system, e.g. auditing.

18
The CW Model

• Integrity is enforced by,
• well formed transactions data items can be
• manipulated only by a specific set of
  programs
• users have access to programs rather than
  data
• items.
• separation of duties users have to collaborate
  to manipulate data and collude to penetrate the
• system.

19
The CW Model

• In the Clark-Wilson model,
• Subjects must be identified and authenticated,
• Objects can be manipulated only by a restricted
  set of programs,
• Subjects can execute only a restricted set of
  programs,
• A proper audit log has to be maintained,
• The system must be certified to work properly.

20
The CW Model

• In the Clark-Wilson model,
• Subjects must be identified and authenticated,
• Objects can be manipulated only by a restricted
  set of programs,
• Subjects can execute only a restricted set of
  programs,
• A proper audit log has to be maintained,
• The system must be certified to work properly.

21
The CW Model

• In the Clark-Wilson model,
• Data items are called Constrained Data Items
  (CDIs),
• Input items are Unconstrained Data Items (UDIs),
• Conversion of UDIs to CDIs cannot be controlled
• solely by the security mechanisms of the
  system,
• CDIs can only be manipulated by Transformation
  Procedures (TPs)
• The integrity of a state is checked by Integrity
  Verification Procedure (IVPs)

22
The CW Model

• Security procedures are defined by 5
  Certification rules
• IVPs must ensure that all CDIs are in a valid
  state when the IVP is run.
• TPs must be must transform their valid CDIs
  into valid CDIs.
• The allowed access relations must meet the
  requirements imposed by the principle of
  separation of duty.
• 4. All TPs must write to an append-only CDI
  log.
• 5. Any TP that takes a UDI as input must
  either convert it into
• a CDI or reject it.

23
The CW Model

• Integrity is enforced by the 4 Enforcement
  rules
• The system must maintain and protect the
  certified relations (TPiCDIa,CDIb, ) and
  ensure that only TPs certified to run on a CDI
  manipulate that CDI.
• The system must maintain and protect the list of
  entries (User,TPiCDIa,CDIb, ) specifying the
  TPs that users can execute.
• The system must authenticate each user requesting
  to execute a TP.
• Only the certifier of a TP may modify the
  respective entities associated with that TP. No
  certifier of a TP may have execute permission
  with respect to that entity.