Lecture #6: Multilevel Security Models

1. djlogo.jpg Lecture #6: Multi-level Security Dr.Ramchandra Mangrulkar, DJSCE Mumbai August 13, 2020 Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 1 / 24

2. djlogo.jpg Security Model What is your security policy? What rules decide who gets access to your data? Which entities governed by the policy? What are the rules that constitute the policy? Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 2 / 24

6. djlogo.jpg How do we define Policy Security seems to mean something like “protection of assets against attack” Security for a wireless phone system may be very different from security for a military database system or an on-line banking system. Security for a given system is defined in terms of a security policy, also sometimes called a security model. The policy is the system specification wrt security. It’s a contract between the designer/implementor and the customer. Must be both achievable and adequate for the intended uses. Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 3 / 24

10. djlogo.jpg Multi-level Security Figure: Multi-level Security 1 1Dieter-Gollmann-Wiley.Computer.Security.3rd.Edition Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 4 / 24

11. djlogo.jpg Multi Level Security Model: The Institute Model What is your security policy? Ans: Role based model of Security. What rules decide who gets access to your data? Ans: defined according to policy. Which entities governed by the policy? Ans: Principal, Hod, Faculty, Non-Teaching, Office Persons, Teaching Assistant, Student, Daily Wages Workers What are the rules that constitute the policy? Principal, HOD - Top Secret, Faculty ,Office Staff- Secret Teaching Assistant, Student-Confidential Daily Wages Workers-Unclassified Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 5 / 24

19. djlogo.jpg Policy Document Could be done informally in a natural language document In practice, such documents too often suﬀer from ambiguities, inconsistencies, and omissions. To avoid these problems, Institute might prefer a formal statement of your security policy. A policy may be characterized informally, semi-formally, or formally. Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 6 / 24

23. djlogo.jpg Policy Document Metapolicy: The security goals in the most abstract sense Policy: System-specific constraints intended to enforce the metapolicy Faculty/staff may use student SAP numbers in documents/files/postings All older docs containing SAP must be destroyed unless deemed necessary Documents deemed necessary to retain must be kept in secure storage SAP Number of Students/Staffs must be protected from disclosure Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 7 / 24

29. djlogo.jpg Secure System Design How do you design a secure system? What are you protecting and what are the potential threats? (risk assessment) What is the intuitive notion of security for such a system? (metapolicy) What are appropriate security rules that attempt to capture this notion for this system? (policy) Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 8 / 24

33. djlogo.jpg Secure System Design What is an overall system architecture that supports our security goals? (system design) By what speciﬁc mechanisms might the security goals be accomplished? (detailed design) Does the system implementation accomplish the goal? How certain can we be of our assessment? Are there intuitively insecure behaviors that fall outside the range of the policy? Lots of other questions... Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 9 / 24

39. djlogo.jpg Multilevel Security Models Bell La Padula Model Biba Model Chinese Wall Model Clark-Wilson Model Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 10 / 24

43. djlogo.jpg Bell LaPadula Model David Bell, Len Lapadula An abstract model intended to control information flow Prevent unauthorized disclosure of information Objects have a security level (e.g., unclassified, classified, secret, top secret) Security levels are arranged in Linear order Subjects (think: principals, processes) have a level Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 11 / 24

49. djlogo.jpg Bell La Padula Model for Institute Security Level Subject Object Top Secret Principal Personal Email Secret Secretary Official Email Confidential Office Assistant Personal Data(Drive), Official Data(PC) Unclassified HOD, Faculty NAAC Data, NBA Data, AICTE Data Table: Example: Simple Bell Lapdula Model Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 12 / 24

50. djlogo.jpg Bell La Padula Model Figure: Information Flow 2 Information Flow “UP”not “DOWN” “No Read up”and “No Write Down” 2www.cs.utexas.edu/~byoung/cs361 Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 13 / 24

53. djlogo.jpg Dominates Relation Figure: The Dominates Relation 3 3https://www.cs.utexas.edu/~byoung/cs361 Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 14 / 24

54. djlogo.jpg Partial Order Figure: Partial Ordering 4 4https://www.cs.utexas.edu/~byoung/cs361 Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 15 / 24

55. djlogo.jpg Lattices Algebraically, the (full) set of labels with their ordering would form a lattice. This is sometimes called “lattice-based security.” a lattice is a partially ordered set (or poset) Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 16 / 24

56. djlogo.jpg Lattices Algebraically, the (full) set of labels with their ordering would form a lattice. This is sometimes called “lattice-based security.” a lattice is a partially ordered set (or poset) Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 16 / 24

57. djlogo.jpg Secure Reading Suppose subject S with authorization (LS , CS ) asks to read an object O with classiﬁcation (LO, CO). Under what conditions should the request be granted by the system? For example, suppose a subject has clearance (Secret: Crypto). Which of the following should he be able to read? -document labeled (Conﬁdential: Crypto) -document labeled (Top Secret: Crypto) -document labeled (Secret: Nuclear) -document labeled (Secret: Crypto, Nuclear) Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 17 / 24

58. djlogo.jpg Secure Reading Suppose subject S with authorization (LS , CS ) asks to read an object O with classiﬁcation (LO, CO). Under what conditions should the request be granted by the system? For example, suppose a subject has clearance (Secret: Crypto). Which of the following should he be able to read? -document labeled (Conﬁdential: Crypto) -document labeled (Top Secret: Crypto) -document labeled (Secret: Nuclear) -document labeled (Secret: Crypto, Nuclear) Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 17 / 24

59. djlogo.jpg Simple-Security Property The Simple-Security Property: Subject S with clearance (LS , CS ) may be granted read access to object O with classiﬁcation (LO, CO) only if (LS , CS ) dominates (LO, CO). OR Subject S with clearance (LS , CS ) may be granted read access to object O with classiﬁcation (LO, CO) only if (LS , CS ) (LO; CO): Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 18 / 24

62. djlogo.jpg Figure: Reading Information 5 5http://nob.cs.ucdavis.edu/ Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 19 / 24

63. djlogo.jpg The *-Property The *-Property: Subject S with clearance (LS , CS ) may be granted write access to object O with classiﬁcation (LO, CO) only if (LS , CS ) (LO; CO): Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 20 / 24

64. djlogo.jpg Figure: Writing Information 6 6http://nob.cs.ucdavis.edu/ Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 21 / 24

65. djlogo.jpg Bell Lapdula Model : No Read Up, No Write Down Figure: Writing Information 7 7http://nob.cs.ucdavis.edu/ Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 22 / 24

66. djlogo.jpg Example Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 23 / 24

67. djlogo.jpg Open Questions Teaching assistant reading notes created by faculty. Faculty members correcting assignments of students. Faculty members correcting notes of Teaching Assistant. AICTE Letter received by Principal is opened and read by HODs HOD correcting applications made to Principal Principal putting remarks on Students applications Students correcting ppts made by Faculty HODs writing remarks on AICTE ﬁles meant for Principal HODs reading billing information submitted by Daily workers Dr.Ramchandra Mangrulkar, DJSCE Mumbai Lecture #6: Multi-level Security August 13, 2020 24 / 24

Lecture #6: Multilevel Security Models

More Related Content

What's hot (20)

Similar to Lecture #6: Multilevel Security Models (20)

More from Dr. Ramchandra Mangrulkar (20)

Recently uploaded (20)

Lecture #6: Multilevel Security Models