15-349 Toward Trusted Systems

Transcript

1. Towards Trusted Systems
   Mandatory Access Control Thierry Sans 15-349: Introduction

   to Computer 
 and Network Security

2. Limitations Insider Attack ➡ The users are not trustworthy Malware

   ➡ The programs are trustworthy

3. Mandatory Access Control (MAC) A Mandatory Access Control (MAC) policy

   is a set of access control rules defined by the system itself ➡ Objectives of MAC policies • Ensure the confinement of trusted domains • Control the information flow between these trusted domains

4. Differences between DAC and MAC DAC - Discretionary Access Control

   • The access control is realized by the system 
 but defined by the users • The object owners manage the rights
 MAC - Mandatory Access Control • The access control is realized by the system 
 and defined by the system (very lowly configurable) • The system (administrator) manage the rights

5. MAC model that will talk about here Multilevel - concept

   of confinement • Bell-LaPadula confidentiality model (1973) • Biba integrity model (1977)

6. Other MAC models Chinese Wall policy - avoiding conflict of

   interest • Brewer and Nash model (1989) Transaction policy - avoiding illegal transactions • Clark and Wilson integrity model (1987) • TBAC (Task-Based Access control) (1997) Separation of duties - avoiding fraud and errors • RBAC (Role-Based Access Control) (1992) • TMAC (Team-Based Access Control) (2004)

7. Multilevel security ๏ Warning - Multilevel security is a MAC

   policy 
 but a MAC is not a multilevel security Concept of confinement • Vertical confinement compartments • Horizontal confinement sensitivities Multilevel is also called the lattice model ➡ Partial order between pairs of compartments and sensitivities

8. Confidentiality and Integrity Controlling information flow with a MAC policy,


   but for what purpose? • Confidentiality (also called Military Security Policy) • Integrity (also called Commercial Security Policy)
 What are the operations considered here? • Reading • Blind writing

9. The Bell-LaPadula confidentiality model Objects have a confidentiality sensitivity level

   • Indicates the confidentiality of the information Subjects have a confidentiality clearance level • Indicates the user's ability of not releasing sensitive information • A subject with high confidentiality clearance level is supposed to keep secret sensitive information

10. Bell-LaPadula - Objective and Hypothesis Objective ➡ Avoiding illegal transmission

    of information between different confidentiality sensitivity levels Hypothesis ➡ A subject must choose a security clearance level when accessing an object - concept of sessions currentClearance(subject) ≤ clearanceMax(user)

11. Bell-LaPadula in action Top Secret Confidential Public

12. No Read up - No Write Down Access is limited

    by the “Need to know” rule ➡ No Read-up
 confidentiality(object) ≤ currentClearance(user) Information leakage is limited by the “Star Property” rule ➡ NoWrite Down
 currentClearance(user) ≤ confidentiality(object)

13. The limitations of the Bell-LaPadula model 1. Concept of “declassification”

    in the extended Bell-LaPadula model ➡ Declassification must be trustworthy (paradox?) 2. Sometimes hiding an information is not enough when the existence of this information should be hidden ➡ Sensitive information systems must lie [Cuppens 94]

14. The Biba integrity model Objects have a integrity sensitivity level

    • Indicates the reliability of the information Subjects have a integrity clearance level • Indicates the user's ability of releasing reliable information • A subject with high integrity level is supposed to release reliable information

15. Biba - Objective and Hypothesis (Biba) Objective • Avoiding that

    a subject with low integrity clearance modifies high integrity objects using information from low integrity objects Hypothesis • There is no concept of session here • Integrity is not exactly the dual of confidentiality

16. Biba in action Very Reliable Reliable Not Reliable The Dean

    Professor Student Cows can fly! Trojan horses 
 cannot be trusted The chicken came before the egg

17. No Write up - No Read Down ✓ Only a

    reliable person can release a reliable information ✓ This person must not be influenced by by a lower reliable information ➡ No Write up
 integrity(object) ≤ clearanceMax(subject) ➡ No Read down
 clearanceMax(subject) ≤ integrity(object)

18. Combining integrity and confidentiality An object has one and only

    one sensitivity level ➡ For reading and writing:
 clearanceMax(user) = security(object) ๏ Naive approach not sustainable in practice An object has two sensitivity levels ➡ Each operation is integrity or confidentiality sensitive
 (must be a strict distinction) ๏ Very hard to implement in practice

19. Building an OS around MAC and DAC Controlling the access

    based on two different policies • a MAC policy that rules all objects and all subject 
 (defining system trusted domains) • a DAC policy defined by users on the set of objects they own (defining user trusted domains) ➡ SELinux (Security-Enhanced Linux) from the NSA

20. But hackers are smart ... ✓ Security policies control legitimate

    channels ๏ But there might be some non-legitimate channels ➡ Covert channels are out of the scope of the reference monitor

21. Covert Channels Top Secret Public 011100... 011100... Storage Channel

22. Covert Channels Top Secret Public 011100... 011100... Timing Channel