Differences between revisions 3 and 4
Revision 3 as of 2010-04-18 16:35:55
Size: 2113
Editor: 24-183-238-75
Comment:
Revision 4 as of 2010-04-18 17:21:45
Size: 4588
Editor: 24-183-238-75
Comment:
Deletions are marked like this. Additions are marked like this.
Line 48: Line 48:
The military security model is representative of a more general scheme, called a [[Lattice]] (You should understand the [[Lattice]] structure). The military security model is representative of a more general scheme, called a [[Lattice]] (You should understand the [[Lattice]] structure). 
Line 50: Line 50:
=== Bell-La Padula Confidentiality Model ===
Line 51: Line 52:
The relation <<latex($\le$)>> The Bell and La Padula model is a forma description of the allowable paths of information flow in a secure system. The model's goal is to identify allowable communication when maintaining secrecy is important.

Consider the following example:

{{{#!latex
\usepackage{amsmath}%
\setcounter{MaxMatrixCols}{30}%
\usepackage{amsfonts}%
\usepackage{amssymb}%
\usepackage{graphicx}
\usepackage{geometry}
\newtheorem{theorem}{Theorem}
\newtheorem{acknowledgement}[theorem]{Acknowledgement}
\newtheorem{algorithm}[theorem]{Algorithm}
\newtheorem{axiom}[theorem]{Axiom}
\newtheorem{case}[theorem]{Case}
\newtheorem{claim}[theorem]{Claim}
\newtheorem{conclusion}[theorem]{Conclusion}
\newtheorem{condition}[theorem]{Condition}
\newtheorem{conjecture}[theorem]{Conjecture}
\newtheorem{corollary}[theorem]{Corollary}
\newtheorem{criterion}[theorem]{Criterion}
\newtheorem{definition}[theorem]{Definition}
\newtheorem{example}[theorem]{Example}
\newtheorem{exercise}[theorem]{Exercise}
\newtheorem{lemma}[theorem]{Lemma}
\newtheorem{notation}[theorem]{Notation}
\newtheorem{problem}[theorem]{Problem}
\newtheorem{proposition}[theorem]{Proposition}
\newtheorem{remark}[theorem]{Remark}
\newtheorem{solution}[theorem]{Solution}
\newtheorem{summary}[theorem]{Summary}
\newenvironment{proof}[1][Proof]{\noindent\textbf{#1.} }{\ \rule{0.5em}{0.5em}}
\geometry{left=0.5in,right=0.5in,top=0.5in,bottom=0.5in}

%%end-prologue%%

Let $S$ be a set of subjects and $O$ be a set of objects. Each $s \in S$ and $o \in O$ has a fixed security class $C(s)$ and $C(o)$ denoting clearance and classification level. The security classes are ordered by a relation $\le$. (Note: The classes may form a lattice, even though the Bell-La Padula model can apply to posets)

Two properties characterize the secure flow of information.\bigskip

\textbf{Simple Security Property}. A subject $s$ may have {\em read} access to an object $o$ only if $C(o) \le C(s)$.\bigskip

\textbf{*-Property}(called the "star property"). A subject $s$ who has {\em read} access to an object $o$ may have {\em write} access to an object $p$ only if $C(o) \le C(p)$.\bigskip

Unknown environment 'example'

Back to Cptr427Winter2010

Designing Trusted (Secure) Operating Systems

Gernal operating systems provide:

  • memory protection
  • file protection
  • object access control
  • user authentication

We say that an operating system is trusted if we have confidence that it provides these four services consistently and effectively.

5.1 What is a Trusted System

We say that software is trusted software if we know that the code has been rigorously develped and analyzed, giving us reason to trust that the code does what it is expected to do and nothing more.

Trust is based on four characteristics:

  • Functional Correctness
  • Enforcement of Integrity.
  • Limited privilege - privilege is limited to this program and it is not leaked or passed on to other programs.
  • Appropriate confidence level. That is, the examination of the program is commencerate with the degree of trust that is required to use the program.

5.2 Security Policies

A security policy is a statement of the security we expect the system to enforce.

See military example p 246.

What is the Chinese Wall Security Policy? (p 251).

Note: All of the policies given as examples in this section provide a statement delineating the expectation of the system. These rules are often and should be declaritive in nature and specify what the results should be, not how to achieve those results.

5.3 Security Models

Everyone uses Model in some way to describe, study or analyze entities, relationships or situations. In security we model for several specific purposes:

  • Test a particular security policy for completeness and consistency
  • Document the policy
  • Conceptualize and design an implementation
  • Check that an implementation meets its requirements.

Lattice Model of Access Security

The military security model is representative of a more general scheme, called a Lattice (You should understand the Lattice structure).

Bell-La Padula Confidentiality Model

The Bell and La Padula model is a forma description of the allowable paths of information flow in a secure system. The model's goal is to identify allowable communication when maintaining secrecy is important.

Consider the following example:

SecureComputingChapter05 (last edited 2020-01-26 22:50:35 by 68)