The First Step: Authorization

Now we assume that an external user has satisfied the requirements for authentication and has entered a system. Although for many of us, we may have a personal computer with access only for one person, more and more the norm in a cyberenvironment is that there may be multiple parties present in the same environment with distinct sets of resources (files or applications).

Thus, the problem of authorization must be addressed. Suppose a user requests access to a specific file. What is the mechanism to ensure that that particular user has the authorization to either read, write, or delete that file, no matter where in this environment this resource resides. Over time, there have been many approaches to this problem.

Security Levels

Complex modern environments tend to have multiple ways of representing the level of access going beyond the familiar UNIX model. Many of us will be familiar with the specific levels of access in a government or military system. In perhaps its simplest form, these levels can be described as Top Secret, Secret, Confidential, and Unclassified.

In such a system, these levels are applied to each subject and object. Then the manner of accepting or rejecting a specific request will follow this hierarchy:

Top Secret > Secret > Confidential > Unclassified

Systems implementing such a hierarchy are normally called multilevel security models (MLSs). An early method of implementing such a model was the so-called Bell-LaPadula model (BLP) (Bell & LaPadula, 1973). In the simplest form of this model, the rules are as follows: (1) classifications apply to objects and (2) clearances apply to subjects.

The BLP security model is designed to express the essential requirements for an MLS. Primarily, BLP deals with confidentiality, in order to prevent unauthorized reading. Recall that O is an object, with a classification, and that S is a subject, with a clearance.

The security level is denoted L(O) for objects and L(S) for subjects. The BLP rules consist of the

Simple Security Condition: S can read O if and only if L(O)

< L(S)

^-Property (Star Property): S can write O if and only if L(S)

< L(O)

As a shorthand term, this is often referred to as “no read-up, no write-down.”

Partial and Total Order

It is normal in many authorization systems for the user to have not only a security level, as discussed earlier, but also a secondary level of authorization involving a subset of the users at a given security level. For example, a number of users with Secret clearance may be assigned to work together on a single project, but all other users with Secret clearance not involved in this project have no need for the information that is contained in the development of the project, i.e., the “need-to-know” principle. Thus, in this case, a user working on the project will by necessity not only have Secret clearance but also need to be a member of the project group. Therefore, the complete security status for anyone in this environment will require both the level of clearance and the listing of the user’s groups.

Thus, when a request is made by a subject to access a given object, the system must check both respective security levels. The overall security level is described as a “total order.” In other words, it is always possible to determine the access: A Confidential user may never read a Secret object, or a Secret user may write to a Top Secret object.

Consider this example of a project where the teams are divided into groups called {Red, Blue, Green, Yellow, Brown}, user A belongs to groups Red, Green, Brown, and object B belongs to groups Blue, Green, Yellow. Then neither a request for A to read B

Venn diagram for {Red, Blue, Green, Yellow, Brown}

Figure 7.1 Venn diagram for {Red, Blue, Green, Yellow, Brown}.

nor a request for A to write to B will be honored, because the subset for A is not contained in the subset for B, nor vice versa (Figure 7.1).

Covert Channel

Despite the protections involved in the access control system, there can always be the existence of a mechanism to “get around” these protections. These are typically what are called “covert channels.” Covert channels are often defined as communication paths that are not intended as such by system designers.

Here is one example that could exist in a multilevel security system. Suppose that a user, George, has Top Secret clearance, and another user, Phyllis, has Confidential clearance. Furthermore, suppose that the space for all files is shared. In this case, George creates a file called ABC.txt, which will be assigned Top Secret level since it was created by George with that clearance. Of course, Phyllis cannot read that file, having only Confidential clearance. However, in order for George to communicate a covert message bit by bit to Phyllis, Phyllis checks George’s directory every minute. If in the first minute, Phyllis sees the existence of ABC.txt, she records a “1” bit. If, 1 minute later, George deletes the file and Phyllis checks again—by not seeing the name of the file in the directory—she will record a “0.” Then, George may create the file again, so in the next minute, Phyllis will see the existence of the file and record a “1.” Thus, over a period of, say, 60 minutes, George can “leak” essentially a message of 60 bits.

Consider one further example of a covert channel. Assume that we have a 100-MB Top Secret file, stored in its unencrypted fashion at the Top Secret level. However, the encrypted version may be stored at the Unclassified level for the purposes of transmitting it from one system to another. This presents no security risk because we would assume that the encrypted version is useless to someone discovering this version without the key. However, the key, stored at the Top Secret level, is perhaps just a few hundred bits. Thus, a method such as that described earlier, leaking one bit at a time from the Top Secret level to the Unclassified level, could make the complete key available at the Unclassified level in just a few minutes and pass on the ability to decrypt the 100-MB file.

Inference Control

A major application for many is use and access in a major database, such as a corporate database, or perhaps a university database. The purpose of a database is to allow for multiple users to read or modify information from the database according to access rules such as those described earlier. Any user with the ability to submit a database query may be able to inadvertently (or perhaps intentionally) gain information that the user may be prohibited from accessing directly. Consider the following example from a university database:

Question: What is average salary of female psychology professors at XYZ University?

Answer: $95,000

Question: How many female psychology professors are there at XYZ University?

Answer: 1

As a result of these two queries, specific information has leaked from responses to general questions!

Inference Control and Research

Medical records are extremely private but critically valuable for epidemiological research. The question is: How can we make aggregates of this medical information available for epidemiological research and yet protect an individual’s privacy? Or, equivalently, how can we allow access to such data without leaking specific information?

A Naïve Answer to Inference Control

We could remove names from medical records. Unfortunately, it still may be easy to get specific info from such “anonymous” data, as has been extremely well documented by LaTanya Sweeney (2000), who proved that approximately 87% of the United States’ population can be identified as individuals with only three pieces of widely available data, {gender, birthdate including year, and five-digit ZIP code of residence).

Therefore, removing names is not enough.

Randomization

You can add a small amount of random noise to data. However, this works with fields like weight, age (such as 45.2 years), or height but could not be used with ZIP code, or gender (represented by a 0 or 1)— in other words, values on a continuous scale.

Firewalls

A firewall must determine what to let into (or out of) the internal network. In other words, the firewall is designed to provide access control for a network. You might think of a firewall as a gatekeeper. To meet with an executive, first contact the gatekeeper. The gatekeeper decides if the meeting is reasonable; also, the gatekeeper filters out many requests.

Problems

1. A system contains the following:

Subjects (with classifications and compartments):

Subject

Classification

Compartments

John

Top Secret

{Accounting, Operations, Development)

Mary

Secret

{Accounting, Operations, Production,

Marketing)

David

Confidential

{Production, Development)

Ann

Unclassified

{Accounting, Operations, Marketing,

Development)

Objects (with clearances and compartments):

Object

Clearance

Compartments

Payroll

Top Secret

(Accounting, Operations, Production)

Inventory

Secret

(Operations, Production, Marketing)

Shipping

Confidential

(Accounting, Operations, Production, Development)

Media

Unclassified

(Accounting, Operations, Production, Marketing)

With a Bell-LaPadula mandatory access control system, indicate whether each of these requests will be accepted or rejected:

Subject

Command

Object

Accept or Reject

John

Read

Inventory

Ann

Write

Payroll

Mary

Read

Media

Ann

Read

Shipping

David

Write

Shipping

John

Write

Media

David

Write

Shipping

Mary

Read

Inventory

  • 2. We have a universe U of objects that are the letters of the alphabet, U = {a, b, c,..., z}. In this universe, we have objects (words) that define subsets whose elements are the letters that make up the word. For example, the subset for the word elephant is Elephant = {a, e, h, 1, n, p, t}. Construct the Venn diagram that displays the sets corresponding to the words Onomatopoeia, Penicillin, Comatose, Lugubrious, and Syzygy.
  • 3. The US Department of Defense, in understanding that covert channels can never be completely eliminated, established a guideline to allow covert channels whose capacity is no more than 1 bit/second. Suppose a malicious leaker adheres to these guidelines. What is the shortest period of time that she can take to leak a 10-kB file?
  • 4. Inference control: You can find a good deal of US city population data at https://factfinder.census.gov/faces/tableservices/ jsf/pages/productview.xhtml?src=bkmk. Formulate a query that will give you all cities with a population < 100,000 at the last census but> 100,000 at present.

References

Bell, D. E., & LaPadula, L. J. 1973. Secure Computer Systems: Mathematical Foundations. MITRE Technical Report 2547, Volume I, March 1.

Sweeney. L. 2000. Simple Demographics Often Identify People Uniquely. Carnegie Mellon University, Data Privacy Working Paper 3, Pittsburgh, PA.

 
Source
< Prev   CONTENTS   Source   Next >