Security in Information Systems: Chapter 3 - Mandatory access control

Security in Information Systems: Chapter 3 - Mandatory access control Introduction to Mandatory Access Control (Security Classes, MAC properties, Multilevel relation, Pros and cons of MAC), Proposed Models for MAC, MAC in Oracle Oracle Label Security.

Trang 1

MANDATORY ACCESS CONTROL

Tran Thi Que Nguyet

Faculty of Computer Science & Engineering

HCMC University of Technology ttqnguyet@cse.hcmut.edu.vn

1

Trang 2

Trường Đại Học Bách Khoa Tp.HCM

Khoa Khoa Học và Kỹ Thuật Máy Tính

Trang 4

 Mandatory Access Control (MAC):

 MAC applies to large amounts of information requiring strong protect in environments where both the system data and users can be classified clearly.

 MAC is a mechanism for enforcing multiple level of security.

4

Trang 5

 A subject classification reflects the degree of trust

and the application area.

 A object classification reflects the sensitivity of the

information.

Trang 6

TS ≥ S ≥ C ≥ U

6

Trang 7

 Categories tend to reflect the system areas or

departments of the organization.

 Example: there are 3 departments of the

organization: Sales, Production, Delivery

Trang 8

 A relation of partial order on the security classes:

SC ≤ SC’ is verified, only if:

A ≤ A’ and C’  C

 Examples:

(2, Sales) ≤ (3, (Sales, Production)) ?

(2, (Sales, Production)) ≤ (3, Sales) ?

8

Trang 10

 Simple security property: A subject S is not allowed

read access to an object O unless

class(S) ≥ class(O).

 No read-up

 Star property (or * property): A subject S is not

allowed to write an object O unless

class(S) ≤ class(O)

 No write-down

These restrictions together ensure that there is no direct flow

of information from high to low subjects!!!

10

Trang 11

Why star property?

Trang 12

Trang 13

Why star property?

Trang 14

Trang 15

Multilevel relation

 Multilevel relation: MAC + relational database

model

 Data objects: attributes and tuples

 Each attribute A is associated with a classification

attribute C

 A tuple classification attribute TC is to provide a

classification for each tuple as a whole, the highest

of all attribute classification values.

R(A 1 ,C 1 ,A 2 ,C 2 , …, A n ,C n ,TC)

 The apparent key of a multilevel relation is the set

of attributes that would have formed the primary

key in a regular (single-level) relation.

Trang 16

Trang 17

A user with security level S

SELECT * FROM EMPLOYEE

Multilevel relation

Trang 18

Bảo mật hệ thống thông tin Chương 5: Điều khiển truy cập bắt buộc (MAC)

18

A user with security level C

Multilevel relation

18

Trang 19

A user with security level U

Multilevel relation

Trang 20

20

Read and write operations: satisfy the No Read-Up

and No Write-Down principles.

Properties of Multilevel relation

20

Trang 21

Entity integrity: all attributes that are members of the

apparent key must not be null and must have the same

security classification within each individual tuple.

 In addition, all other attribute values in the tuple must

have a security classification greater than or equal to that of the apparent key.

 This constraint ensures that a user can see the key if

the user is permitted to see any part of the tuple at all.

Trang 22

22

Polyinstantiation: where several tuples can have the same apparent key value but have different attribute values for users at different classification levels.

22

Trang 23

Polyinstantiation example

 A user with security level C tries to update the

value of JobPerformance of Smith to ‘Excellent’:

UPDATE EMPLOYEE SET JobPerformance = ‘Excellent’

(security level C)

Trang 24

Trang 26

Trang 28

 Proposed by David Elliot Bell and Leonard J La Padula in 1973 to

apply into the applications of USA Government and Military

 A state of the system is described by the 3-tuple:

A state : (b, M, f), includes

 Access operations currently in use b

 List of tuples (s, o, a), s ∈ S, o ∈ O, a ∈ A.

 Access permission matrix

 M = (M s,o ) s∈S,o∈O , where M s,o ⊂ A

 Clearance and classiﬁcation f = (f S , f C , f O )

 f S : S → L maximal security level of a subject

 f C : S → L current security level of a subject (f C ≤ f S )

 f O : O → L classiﬁcation of an object

28

Trang 29

 Discretionary Security Property (ds-property)

 Access must be permitted by the access control matrix

for each (s, o, a) ∈ b, then a ∈ m[s, o]

 This is the discretionary access control part of the model

 The other two properties are the mandatory access control parts of the model

 Simple security property (ss-property)

 A state (b, M, f) satisﬁes the SS-property if

 ∀(s, o, a) ∈ b, such that a ∈ {read, write}

 f O (o) ≤ f S (s)

 I.e a subject can only observe objects of lower classiﬁcation

Trang 30

 What policy do we need for write access?

 Integrity: no write-up (to higher security levels)

 Conﬁdentiality: no write-down (to lower security levels)

 Bell-LaPadula concerns conﬁdentiality

 Subject must not transmit messages to subjects at lower levels

 Current security level allows communications

 A subject has to be downgraded to send messages

 Because subjects are computer programs

 they can be made to forget their knowledge when downgraded

30

Trang 31

 if ∃ (s, o, a) ∈ b where a ∈ {append, write},

 then ∀ o’, a’ ∈ {read, write}, such that (s, o’, a’) ∈ b, f O (o’) ≤ f O (o)

 I.e a subject can only alter objects of higher classiﬁcation,

 and cannot read a high-level object while writing to a low-level object

(2)

 ∀ (s, o, a) ∈ b, such that a ∈ {read}

 fc(s) ≥ fo(o)

Trang 32

Trang 33

 BLP assumes a ﬁxed rights

 assumes tranquillity (where permissions do not change)

 A tranquil operation does not change access rights.

 A tranquil system has no non-tranquil operation

 no model for access management

 no model for policy making

 Allows Covert Channels (home work!)

Trang 34

Trang 35

ORACLE LABEL SECURITY (OLS)

 Introduction

 Label components

 How OLS works?

Trang 36

 Simulates multilevel DB (MAC)

 Adds a field for each row to store the row’s

sensitive label

 Access is granted (or denied) by comparing user’s

identity and security clearance label with row’s

sensitive label

ref [http://docs.oracle.com]

36

Trang 37

SELECT * FROM order;

User User session label

Trang 38

 A user's policy privileges

 A table's policy enforcement options

38

Trang 39

ORACLE LABEL SECURITY (OLS)

 Introduction

 Label components

 How OLS works?

Trang 40

 A label contains three components:

 A single level (sensitivity) ranking

 Zero or more horizontal compartments

 Zero or more hierarchical groups

40

Trang 41

 Levels represent a hierarchy of data sensitivity

 The primary mechanism aims to prevent users who

are not authorized from seeing or altering certain

Trang 42

 The compartment component is not hierarchical

 Compartments identify areas that describe the

sensitivity of the labeled data, providing a finer

level of granularity within a level

 Example

 FIN, CHEM, OP

42

Trang 43

North Middle South

Country

 The group component is hierarchical and is used to

identify organizations owning or accessing the data.

Trang 44

Trang 46

Trang 47

User Access

 A user can only access data within the range of his

or her own label authorizations

 A user has:

 maximum and minimum levels

 a set of authorized compartments

 a set of authorized groups

 a specification of read-only access (or read/write) access for each compartment and group

 How to map user label and data label?

Trang 48

Trang 49

Grant authorizations on Groups

to user Alice

Trang 50

50

Assumption: Min level = EMP, all with Write Access

Định dạng
Số trang	51
Dung lượng	1,05 MB