Mandatory Access Control (MAC), trusted OS features Reading: Pfleeger, Chap 4, Chap 5 _DoD Trusted Computer System Evaluation Criteria_ http://csrc.ncsl.nist.gov/secpubs/rainbow/std001.txt Bell-LaPadula model: http://seclab.cs.ucdavis.edu/projects/history/papers/bell76.pdf * access control policy - MAC vs DAC DAC - owner or creator decides access policy MAC - site decides policy (all data owned by site) * assumptions of military security stakes are very high (national security) costs are less important try hard for "perfect security" focus on data confidentiality, not integrity - BAD * "site" or facility policy must be enforced all data is owned by the "site", not by the users site policy must override user's wishes users should not be able to give away access * DoD security classification system security levels - ordered security "categories" - non-ordered * security levels top secret (TS) secret (S) confidential (C) "FOUO" unclassified (U) DoE uses different system NATO, UK, others use similar systems * security categories - non-hierarchical orthogonal to levels embody "need to know" unified categories = caveats + code words + compartments + handling markings each one is a "bit" that relates to a domain of information (project, technology) * people and systems - trust only "trusted" people have access implies only "trusted" systems can contain what is trust, really? (Snowman, Hansen, etc.) * trust for people successful investigation leads to level of trust formalized in a security clearance (level) "need to know" is "orthogonal" - categories security clearance is security level + (optional) categories * trust for systems "accreditation" leads to "facility clearance" based on adherence to policies " " some testing " " some assumptions about systems' capabilities is a formal, expensive process * objects, subjects and rules objects have sensitivity labels subjects have sensitivity "rights" rules - how may subjects access objects? * one policy - Bell-LaPadula model a mandatory confidentiality policy attempts to embody military classification rules formally specified, "proven" basis for almost all MAC work since 1977 a lattice model - requires some comparison operator "dominance" * Bell-LaPadula model - assumptions every object has a label every subject has a "label" some trusted mediator checks *every* access by subject to object two rules - simple security and *-prop * labels and "clearances" generally, use "sensitivity level" for both subjects and objects label = level + compartments label stored with each object subject gets label from authenticated user's clearance "subject acquires user's credentials" * what is dominance? for A >= B to be true level(A) >= level(B) AND all compart(B) are in compart(A) [means B is a subset of A] * simple security to read, C(s) >= C(o) no read from higher may read things at the same level or lower "can't see things you shouldn't" pure confidentiality * "*-property" to write, C(s) <= C(o) no write-down "can't give away information" "can't change classification (down)" enforces classification rules and behavior prohibits high-level (trusted) subject from going around rules * insert some B-L examples here... * What is missing from B-L model? it is a confidentiality model only "bad" data can still be propagated around need integrity * "Biba integrity" model is the mirror of B-L has simple integrity "no read from lower integrity" has integrity *-property "no write to higher integrity" * "real" security B-L for confidentiality Biba for integrity DAC for finer-grained control * B-L implemented in: Multics - 1976 SCOMP - late 1970s KSOS - late 1970s KSOS-32 - 1980s VAX Security Kernel - 1980s Tmach UNICOS (Cray UNIX) - early 1990s Trusted Solaris - late 1990s * Biba implemented in: KSOS and KSOS-32 $Id: class-09-mandatory-access-control,v 1.5 2003/09/24 19:16:59 tep Exp $