Lecture 17 Security

Lecture 17 Security - DAC vs. MAC Most people familiar with...

Info iconThis preview shows pages 1–7. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: DAC vs. MAC Most people familiar with discretionary access control (DAC)- Unix permission bits are an example- Might set a file private so only group friends can read it Discretionary means anyone with access can propagate information:- Mail sigint@enemy.gov < private Mandatory access control- Security administrator can restrict propagation- Abbreviated MAC (NOT to be confused w. Message Authentication Code or Medium Access Control) 1/36 Bell-Lapadula model View the system as subjects accessing objects- The system input is requests, the output is decisions- Objects can be organized in one or more hierarchies, H (a tree enforcing the type of decendents) Four modes of access are possible:- e xecute no observation or alteration- r ead observation- a ppend alteration- w rite both observation and modification The current access set, b , is (subj, obj, attr) tripples An access matrix M encodes permissible access types (as before, subjects are rows, objects columns) 2/36 Security levels A security level is a ( c , s ) pair:- c = classification E.g., unclassified, secret, top secret- s = category-set E.g., Nuclear, Crypto ( c 1 , s 1 ) dominates ( c 2 , s 2 ) iff c 1 c 2 and s 2 s 1- L 1 dominates L 2 sometimes written L 1 L 2 or L 2 L 1- levels then form a lattice (partial order w. lub & glb) Subjects and objects are assigned security levels- level(S), level(O) security level of subject/object- current-level(S) subject may operate at lower level- level(S) bounds current-level(S) (current-level(S) level(S))- Since level(S) is max, sometimes called Ss clearance 3/36 Security properties The simple security or ss-property :- For any ( S , O , A ) b , if A includes observation, then level( S ) must dominate level( O )- E.g., an unclassified user cannot read a top-secret document The star security or *-property :- If a subject can observe O 1 and modify O 2 , then level ( O 2 ) dominates level ( O 1 )- E.g., cannot copy top secret file into secret file- More precisely, given ( S , O , A ) b : if A = r then current-level ( S ) level ( O ) (no read up) if A = a then current-level ( S ) level ( O ) (no write down) if A = w then current-level ( S ) = level ( O ) 4/36 The lattice model X X X L 1 L 1 means L 1 L 2 ( top-secret, { Crypto }) ( secret, ) ( secret, { Crypto }) ( top-secret, ) ( secret, { Nuclear }) ( top-secret, { Nuclear }) ( top-secret, { Nuclear,Crypto }) ( unclassified, ) Information can only flow up the lattice- System enforces No read up, no write down- Think of as can flow to relation 5/36 Straw man MAC implementation Take an ordinary Unix system Put labels on all files and directories to track levels Each user U has a security clearance, level ( U ) Determine current security level dynamically- When U logs in, start with lowest curent-level- Increase current-level as higher-level files are observed...
View Full Document

Page1 / 39

Lecture 17 Security - DAC vs. MAC Most people familiar with...

This preview shows document pages 1 - 7. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online