Lecture5 - IS 2150 TEL 2810 Introduction to Security James...

Info icon This preview shows pages 1–12. Sign up to view the full content.

View Full Document Right Arrow Icon
IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor SIS Associate Professor, SIS Lecture 5 September 20, 2011 Security Policies Confidentiality Policies 1
Image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Objectives Understanding/defining security policy and nature of trust Overview of different policy models Define/Understand existing Bell-LaPadula Define/Understand existing Bell LaPadula model of confidentiality how lattice helps? Understand the Biba integrity model 2
Image of page 2
Security Policies 3
Image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Security Policy Defines what it means for a system to be secure Formally: Partitions a system into Set of secure (authorized) states Set of non-secure (unauthorized) states Secure system is one that Starts in authorized state Cannot enter unauthorized state 4
Image of page 4
Confidentiality Policy Also known as information flow Transfer of rights Transfer of information without transfer of rights Temporal context Model often depends on trust Parts of system where information could flow Trusted entity must participate to enable flow Highly developed in Military/Government 5
Image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Integrity Policy Defines how information can be altered Entities allowed to alter data Conditions under which data can be altered Limits to change of data E l Examples: Purchase over $1000 requires signature Check over $10 000 must be approved by one Check over $10,000 must be approved by one person and cashed by another Separation of duties : for preventing fraud 6 Highly developed in commercial world
Image of page 6
Trust Theories and mechanisms rest on some trust assumptions Administrator installs patch 1. Trusts patch came from vendor, not tampered with in transit 2. Trusts vendor tested patch thoroughly Trusts vendor’s test environment corresponds to 3. Trusts vendor’s test environment corresponds to local environment 4. Trusts patch is installed correctly 7
Image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Trust in Formal Verification Formal verification provides a formal mathematical proof that given input i , program P produces output o as specified Suppose a security-related program S formally verified to work with operating system O Wh h i d i i What are the assumptions during its installation? 8
Image of page 8
Security Model A model that represents a particular policy or set of policies Abstracts details relevant to analysis Focus on specific characteristics of policies E.g., Multilevel security focuses on information flow control 9
Image of page 9

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Security policies Military security policy Focuses on confidentiality Commercial security policy Primarily Integrity Transaction-oriented Begin in consistent state “Consistent” defined by specification Perform series of actions ( transaction ) A ti t b i t t d Actions cannot be interrupted If actions complete, system in consistent state If actions do not complete, system reverts to beginning (consistent) state 10
Image of page 10
Access Control Discretionary Access Control (DAC) Owner determines access rights Typically
Image of page 11

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full Document Right Arrow Icon
Image of page 12
This is the end of the preview. Sign up to access the rest of the document.

{[ snackBarMessage ]}

What students are saying

  • Left Quote Icon

    As a current student on this bumpy collegiate pathway, I stumbled upon Course Hero, where I can find study resources for nearly all my courses, get online help from tutors 24/7, and even share my old projects, papers, and lecture notes with other students.

    Student Picture

    Kiran Temple University Fox School of Business ‘17, Course Hero Intern

  • Left Quote Icon

    I cannot even describe how much Course Hero helped me this summer. It’s truly become something I can always rely on and help me. In the end, I was not only able to survive summer classes, but I was able to thrive thanks to Course Hero.

    Student Picture

    Dana University of Pennsylvania ‘17, Course Hero Intern

  • Left Quote Icon

    The ability to access any university’s resources through Course Hero proved invaluable in my case. I was behind on Tulane coursework and actually used UCLA’s materials to help me move forward and get everything together on time.

    Student Picture

    Jill Tulane University ‘16, Course Hero Intern