4/9/2010
What is a Security Policy?
COMP620
• A security policy defines “secure” for a system
• How do you know that you system is secure until you define what secure is?
• A security policy defines what a user can or cannot do
Policy Source
Who Cares?
Security Policies
Security policies can be created by:
• Organizations (corporations or universities)
• Government
• Software vendors
• Even if you have the most secure encryption system, it will be of little use if you give t
it ill b f littl
if
i
everyone the keys
1
4/9/2010
Confidentiality
Integrity
• X set of entities, I information
• I has confidentiality
has confidentiality property with respect to X
property with respect to X if no x
if no x
∈ X can obtain information from I
• I can be disclosed to others
• Example:
– X set of students
– I final exam answer keyy
– I is confidential with respect to X if students cannot obtain final exam answer key
June 1, 2004
Computer Security: Art and Science
©2002‐2004 Matt Bishop
Slide #4‐5
• X set of entities, I information
• I has integrity
h i
i property with respect to X
ih
X if all x
if ll ∈ X
trust information in I
• Types of integrity:
– trust I, its conveyance and protection (data integrity)
– I information about origin of something or an identity (origin integrity authentication)
(origin integrity, authentication)
– I resource: means resource functions as it should (assurance)
Computer Security: Art and Science
©2002‐2004 Matt Bishop
June 1, 2004
Availability
Slide #4‐6
Types of Security Policies
• X set of entities, I resource
• I has availability
h
il bili property with respect to X
ih
X if all x
if ll ∈ X
can access I
• Types of availability:
– traditional: x gets access or not
– quality of service: promised a level of access (for example, a specific level of bandwidth) and not meet it even though
a specific level of bandwidth) and not meet it, even though some access is achieved
• Military (governmental) security policy
– Policy primarily protecting confidentiality
P li
i
il
t ti
fid ti lit
• Commercial security policy
– Policy primarily protecting integrity
• Confidentiality policy
– Policy protecting only confidentiality
• Integrity policy
– Policy protecting only integrity
June 1, 2004
Computer Security: Art and Science
©2002‐2004 Matt Bishop
Slide #4‐7
June 1, 2004
Computer Security: Art and Science
©2002‐2004 Matt Bishop
Slide #4‐8
2
4/9/2010
Integrity and Transactions
Trust
• Begin in consistent state
An administrator who installs an OS patch
1. Trusts patch came from vendor, not tampered with in transit
2. Trusts vendor tested patch thoroughly
3. Trusts vendor’s test environment corresponds to local environment
corresponds to local environment
4. Trusts patch is installed correctly
– “Consistent” defined by specification
• Perform series of actions (transaction)
– Actions cannot be interrupted
– If actions complete, system in consistent state
– If actions do not complete, system reverts to If actions do not complete system reverts to
beginning (consistent) state
June 1, 2004
Computer Security: Art and Science
©2002‐2004 Matt Bishop
Slide #4‐9
June 1, 2004
Trust in Formal Verification
Computer Security: Art and Science
©2002‐2004 Matt Bishop
Slide #4‐10
Trust in Formal Methods
• Gives formal mathematical proof that given i
input i, program P
ti
P produces output o
d
t t as specified
• Suppose a security‐related program S formally verified to work with operating system O
1. Proof has no errors (can every COMP681 student do this?)
•
Bugs in automated theorem provers
Bugs in automated theorem provers
2. Preconditions hold in environment in which S is to be used
3. S transformed into executable S′ whose actions follow source code
–
Compiler bugs, linker/loader/library problems
4. Hardware executes S′ as intended
–
June 1, 2004
Computer Security: Art and Science
©2002‐2004 Matt Bishop
Slide #4‐11
June 1, 2004
Hardware bugs (Pentium f00f bug, for example)
Computer Security: Art and Science
©2002‐2004 Matt Bishop
Slide #4‐12
3
4/9/2010
Types of Access Control
Question ?
• Discretionary Access Control (DAC, IBAC)
– iindividual user sets access control mechanism to allow or di id l
t
t l
h i t ll
deny access to an object
• Mandatory Access Control (MAC)
– system mechanism controls access to object, and individual cannot alter that access
• Originator Controlled Access Control (ORCON)
Originator Controlled Access Control (ORCON)
– originator (creator) of information controls who can access information
June 1, 2004
Computer Security: Art and Science
©2002‐2004 Matt Bishop
Slide #4‐13
• A university policy disallows cheating which is defined to include copying another student’ss homework (with to include copying another student
homework (with
or without permission)
• CS class has students do homework on lab computers
• Alice forgets to read‐protect her homework file
• Bob copies it
• Who cheated?
– Alice, Bob , or both?
June 1, 2004
Answer Part 1
– Policy
Policy forbids copying homework assignment
forbids copying homework assignment
– Bob did it
– System entered unauthorized state (Bob having a copy of Anne’s assignment)
• If not explicit in computer security policy, certainly implicit
–N
Not credible that a unit of the university allows something t dibl th t
it f th
i
it ll
thi
that the university as a whole forbids, unless the unit explicitly says so
Computer Security: Art and Science
©2002‐2004 Matt Bishop
Slide #4‐14
Answer Part #2
• Bob cheated
June 1, 2004
Computer Security: Art and Science
©2002‐2004 Matt Bishop
Slide #4‐15
• Alice didn’t protect her homework
– Not required by security policy
• She didn’t breach security
• If policy said students had to read‐protect homework files, then Alice did breach security
– She didn’t do this
She didn’t do this
June 1, 2004
Computer Security: Art and Science
©2002‐2004 Matt Bishop
Slide #4‐16
4
4/9/2010
Mechanisms
Mechanisms
• Entity or procedure that enforces some part of th
the security policy
it
li
Mechanisms: may be
• technical, in which controls in the computer enforce the policy; for example, the requirement that a user supply a password to authenticate herself before using the computer
• procedural, in which controls outside the system enforce the policy; for example, firing someone for ringing in a disk containing a game program obtained from an untrusted source
– Access controls (like bits to prevent someone from reading a homework file)
– Disallowing people from bringing CDs and floppy disks into a computer facility to control what is placed on systems
June 1, 2004
Computer Security: Art and Science
©2002‐2004 Matt Bishop
Slide #4‐17
Policy Language
Policy may be expressed in
• natural language, which is usually imprecise but easy to understand;
• mathematics, which is usually precise but hard to understand;
• policy languages, which look like some form of policy languages which look like some form of
programming language and try to balance precision with ease of understanding
Policy Languages
• Express security policies in a precise way
• High‐level languages
– Policy constraints expressed abstractly
• Low‐level languages
– Policy constraints expressed in terms of program options input or specific characteristics of
options, input, or specific characteristics of entities on system
June 1, 2004
Computer Security: Art and Science
©2002‐2004 Matt Bishop
Slide #4‐20
5
4/9/2010
High‐Level Policy Languages
Example: Java in a Web Browser
• Constraints expressed independent of enforcement mechanism
f
t
h i
• Constraints restrict entities, actions
• Constraints expressed unambiguously
• Goal: restrict actions of Java programs that are d
downloaded and executed under control of l d d d
t d d
t l f
web browser
• Language specific to Java programs
• Expresses constraints as conditions restricting invocation of entities
invocation of entities
– Requires a precise language, usually a mathematical logical or programming‐like
mathematical, logical, or programming
like language
June 1, 2004
Computer Security: Art and Science
©2002‐2004 Matt Bishop
Slide #4‐21
June 1, 2004
Computer Security: Art and Science
©2002‐2004 Matt Bishop
Slide #4‐22
Low‐Level Policy Languages
• Set of inputs or arguments to commands
– Check or set constraints on system
• Low level of abstraction
– Need details of system, commands
June 1, 2004
Computer Security: Art and Science
©2002‐2004 Matt Bishop
Slide #4‐23
6