TOPIC LATTICE-BASED ACCESS-CONTROL MODELS. Ravi Sandhu

Similar documents
CSC 474/574 Information Systems Security

Lattice Model of Flow

Lattices and the Knaster-Tarski Theorem

Generating all modular lattices of a given size

EDA045F: Program Analysis LECTURE 3: DATAFLOW ANALYSIS 2. Christoph Reichenbach

The illustrated zoo of order-preserving functions

École normale supérieure, MPRI, M2 Year 2007/2008. Course 2-6 Abstract interpretation: application to verification and static analysis P.

3.2 No-arbitrage theory and risk neutral probability measure

Chair of Communications Theory, Prof. Dr.-Ing. E. Jorswieck. Übung 5: Supermodular Games

An orderly algorithm to enumerate finite (semi)modular lattices

The Security π-calculus and Non-interference

MATH 5510 Mathematical Models of Financial Derivatives. Topic 1 Risk neutral pricing principles under single-period securities models

Arbitrage Theory without a Reference Probability: challenges of the model independent approach

Maximizing Winnings on Final Jeopardy!

6.231 DYNAMIC PROGRAMMING LECTURE 3 LECTURE OUTLINE

CS134: Networks Spring Random Variables and Independence. 1.2 Probability Distribution Function (PDF) Number of heads Probability 2 0.

Maximizing Winnings on Final Jeopardy!

Structural credit risk models and systemic capital

An implementation of the Chinese Wall security model using ConSA

Game Theory: Normal Form Games

Multi-armed bandit problems

THE NUMBER OF UNARY CLONES CONTAINING THE PERMUTATIONS ON AN INFINITE SET

Gödel algebras free over finite distributive lattices

arxiv: v5 [quant-ph] 16 Oct 2008

An effective perfect-set theorem

being saturated Lemma 0.2 Suppose V = L[E]. Every Woodin cardinal is Woodin with.

GUESSING MODELS IMPLY THE SINGULAR CARDINAL HYPOTHESIS arxiv: v1 [math.lo] 25 Mar 2019

OPTIMAL PORTFOLIO CONTROL WITH TRADING STRATEGIES OF FINITE

1102 IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 51, NO. 3, MARCH Genyuan Wang and Xiang-Gen Xia, Senior Member, IEEE

The Yield Envelope: Price Ranges for Fixed Income Products

Connecticut NOTE: All tax tables listed in this document are annual tables.

arxiv: v1 [math.lo] 24 Feb 2014

Martingale Pricing Theory in Discrete-Time and Discrete-Space Models

Simplifying Fractions.notebook February 28, 2013

A Robust Option Pricing Problem

Game Theory Tutorial 3 Answers

An introduction on game theory for wireless networking [1]

Calibration Estimation under Non-response and Missing Values in Auxiliary Information

How Wealthy Are Europeans?

Elastic demand solution methods

Strategies and Nash Equilibrium. A Whirlwind Tour of Game Theory

Prize offered for the solution of a dynamic blocking problem

Before I address the harmonic patterns and harmonic ratios that exist in the market, I need to address the Fibonacci series and Fibonacci ratios.

6.231 DYNAMIC PROGRAMMING LECTURE 3 LECTURE OUTLINE

MS&E 246: Lecture 5 Efficiency and fairness. Ramesh Johari

CONSTRUCTION OF CODES BY LATTICE VALUED FUZZY SETS. 1. Introduction. Novi Sad J. Math. Vol. 35, No. 2, 2005,

6 -AL- ONE MACHINE SEQUENCING TO MINIMIZE MEAN FLOW TIME WITH MINIMUM NUMBER TARDY. Hamilton Emmons \,«* Technical Memorandum No. 2.

On Existence of Equilibria. Bayesian Allocation-Mechanisms

Reduced Complexity Approaches to Asymmetric Information Games

Risk Management for Distributed Authorization

CEO Attributes, Compensation, and Firm Value: Evidence from a Structural Estimation. Internet Appendix

Pure vs. Mixed Motive Games: On the Perception of Payoff-Orders

Filters - Part II. Quotient Lattices Modulo Filters and Direct Product of Two Lattices

Subject CT8 Financial Economics Core Technical Syllabus

CATEGORICAL SKEW LATTICES

White-Box Testing Techniques I

Bond Percolation Critical Probability Bounds. for three Archimedean lattices:

The Outer Model Programme

CMSC 474, Introduction to Game Theory 20. Shapley Values

Game Theoretic Notions of Fairness in Multi-Party Coin Toss

I R TECHNICAL RESEARCH REPORT. A Framework for Mixed Estimation of Hidden Markov Models. by S. Dey, S. Marcus T.R

White-Box Testing Techniques I

Portfolio selection with multiple risk measures

Forecast Horizons for Production Planning with Stochastic Demand

Recall: Data Flow Analysis. Data Flow Analysis Recall: Data Flow Equations. Forward Data Flow, Again

TEST 1 SOLUTIONS MATH 1002

DUALITY AND SENSITIVITY ANALYSIS

4: SINGLE-PERIOD MARKET MODELS

Approximate methods for dynamic portfolio allocation under transaction costs

Financial Institutions Topical Series

Lecture l(x) 1. (1) x X

No-arbitrage Pricing Approach and Fundamental Theorem of Asset Pricing

Collective Profitability and Welfare in Selling-Buying Intermediation Processes

Applications of Quantum Annealing in Computational Finance. Dr. Phil Goddard Head of Research, 1QBit D-Wave User Conference, Santa Fe, Sept.

ACCOUNT OPENING AGREEMENT ONLINE TRADING

LATTICE EFFECT ALGEBRAS DENSELY EMBEDDABLE INTO COMPLETE ONES

CTL Model Checking. Goal Method for proving M sat σ, where M is a Kripke structure and σ is a CTL formula. Approach Model checking!

February 2010 Office of the Deputy Assistant Secretary of the Army for Cost & Economics (ODASA-CE)

Investment Aid and Contract Bound Energy Savings: Experiences from Norway

Key considerations when looking for greener pastures

THE DEODHAR DECOMPOSITION OF THE GRASSMANNIAN AND THE REGULARITY OF KP SOLITONS

Anh Maciag. A Two-Person Bargaining Problem

Market analysis seeks to determine the condition of the market because the trader who knows whether

Finite Population Dynamics and Mixed Equilibria *

ECON Micro Foundations

Axiomatization of generic extensions by homogeneous partial orderings

IEOR E4004: Introduction to OR: Deterministic Models

Generating all nite modular lattices of a given size

A simulation study of two combinatorial auctions

Financial Mathematics III Theory summary

FORCING AND THE HALPERN-LÄUCHLI THEOREM. 1. Introduction This document is a continuation of [1]. It is intended to be part of a larger paper.

SPONSOR REVIEW VERSION

YEAR 12 Trial Exam Paper FURTHER MATHEMATICS. Written examination 1. Worked solutions

Column generation to solve planning problems

Residuated Lattices of Size 12 extended version

Corporate Strategy, Conformism, and the Stock Market

EFTA Surveillance Authority GUIDELINES

Essays on Some Combinatorial Optimization Problems with Interval Data

Martingale Transport, Skorokhod Embedding and Peacocks

The Dual Aspects of Accounting Transaction and the Assets-Claims on Assets Equality in Axiomatic Theory

Transcription:

1 TOPIC LATTICE-BASED ACCESS-CONTROL MODELS Ravi Sandhu

2 LATTICE-BASED MODELS Denning's axioms Bell-LaPadula model (BLP) Biba model and its duality (or equivalence) to BLP Dynamic labels in BLP

3 DENNING'S AXIOMS < SC,, > SC SC X SC set of security classes flow relation (i.e., can-flow) : SC X SC -> SC class-combining operator

4 DENNING'S AXIOMS 1 SC is finite 2 is a partial order on SC < SC,, > 3 SC has a lower bound L such that L A for all A SC 4 is a least upper bound (lub) operator on SC Justification for 1 and 2 is stronger than for 3 and 4. In practice we may therefore end up with a partially ordered set (poset) rather than a lattice.

5 DENNING'S AXIOMS IMPLY SC is a universally bounded lattice there exists a Greatest Lower Bound (glb) operator (also called meet) there exists a highest security class H

6 LATTICE STRUCTURES Top Secret Hierarchical Classes Secret can-flow Confidential Unclassified reflexive and transitive edges are implied but not shown

7 LATTICE STRUCTURES Top Secret Secret Confidential Unclassified dominance can-flow

8 LATTICE STRUCTURES {ARMY, CRYPTO} Compartments and Categories {ARMY } {CRYPTO} {}

9 LATTICE STRUCTURES {ARMY, NUCLEAR, CRYPTO} Compartments and Categories {ARMY, NUCLEAR} {ARMY, CRYPTO} {NUCLEAR, CRYPTO} {ARMY} {NUCLEAR} {CRYPTO} {}

10 LATTICE STRUCTURES TS {A,B} Hierarchical Classes with Compartments {A} {B} S {} product of 2 lattices is a lattice

11 LATTICE STRUCTURES TS, {A} TS, {A,B} TS, {B} Hierarchical Classes with Compartments TS, {} S, {A,B} S, {A} S, {B} S, {}

TS-AKLQWXYZ TS-KL TS-KLX TS-KY TS-KQZ TS-W TS-X TS-L TS-K TS-Y TS-Q TS-Z TS-X S-LW S-L TS S-W S C U S-A SMITH'S LATTICE

13 SMITH'S LATTICE With large lattices a vanishingly small fraction of the labels will actually be used Smith's lattice: 4 hierarchical levels, 8 compartments, therefore number of possible labels = 4*2^8 = 1024 Only 21 labels are actually used (2%) Consider 16 hierarchical levels, 64 compartments which gives 10^20 labels

14 EMBEDDING A POSET IN A LATTICE Smith's subset of 21 labels do form a lattice. In general, however, selecting a subset of labels from a given lattice may not yield a lattice, but is guaranteed to yield a partial ordering Given a partial ordering we can always add extra labels to make it a lattice

15 EMBEDDING A POSET IN A LATTICE {A,B,C} {A,B,D} {A,B,C,D} {A,B,C} {A,B,D} {A} {B} {A} {A,B} {B} such embedding is always possible {}

16 BLP BASIC ASSUMPTIONS SUB = {S1, S2,..., Sm}, a fixed set of subjects OBJ = {O1, O2,..., On}, a fixed set of objects R {r, w}, a fixed set of rights D, an m n discretionary access matrix with D[i,j] R M, an m n current access matrix with M[i,j] {r, w}

BLP MODEL (LIBERAL STAR-PROPERTY) 17 Lattice of confidentiality labels Λ = {λ1, λ2,..., λp} Static assignment of confidentiality labels λ: SUB OBJ Λ M, an m n current access matrix with r M[i,j] r D[i,j] λ(si) λ (Oj) w M[i,j] w D[i,j] λ(si) λ (Oj) simple security star-property

BLP MODEL (STRICT STAR-PROPERTY) 18 Lattice of confidentiality labels Λ = {λ1, λ2,..., λp} Static assignment of confidentiality labels λ: SUB OBJ Λ M, an m n current access matrix with r M[i,j] r D[i,j] λ(si) λ (Oj) w M[i,j] w D[i,j] λ(si) = λ (Oj) simple security star-property

19 BLP MODEL Top Secret Secret Confidential Unclassified dominance can-flow

20 STAR-PROPERTY applies to subjects not to users users are trusted (must be trusted) not to disclose secret information outside of the computer system subjects are not trusted because they may have Trojan Horses embedded in the code they execute star-property prevents overt leakage of information and does not address the covert channel problem

21 BIBA MODEL Lattice of integrity labels Ω = {ω1, ω2,..., ωq} Assignment of integrity labels ω: SUB OBJ Ω M, an m n current access matrix with r M[i,j] r D[i,j] ω(si) ω (Oj) simple integrity w M[i,j] w D[i,j] ω(si) ω(oj) integrity confinement

22 EQUIVALENCE OF BLP AND BIBA Information flow in the Biba model is from top to bottom Information flow in the BLP model is from bottom to top Since top and bottom are relative terms, the two models are fundamentally equivalent

23 EQUIVALENCE OF BLP AND BIBA HI (High Integrity) LI (Low Integrity) LI (Low Integrity) HI (High Integrity) BIBA LATTICE EQUIVALENT BLP LATTICE

24 EQUIVALENCE OF BLP AND BIBA HS (High Secrecy) LS (Low Secrecy) LS (Low Secrecy) HS (High Secrecy) BLP LATTICE EQUIVALENT BIBA LATTICE

25 COMBINATION OF DISTINCT LATTICES HS HI HS, LI HS, HI LS, LI LS LI LS, HI BLP GIVEN BIBA EQUIVALENT BLP LATTICE

26 BLP AND BIBA BLP and Biba are fundamentally equivalent and interchangeable Lattice-based access control is a mechanism for enforcing one-way information flow, which can be applied to confidentiality or integrity goals We will use the BLP formulation with high confidentiality at the top of the lattice, and high integrity at the bottom

LIPNER'S LATTICE S: System Managers O: Audit Trail S: System Control S: Repair S: Production Users O: Production Data S: Application Programmers O: Development Code and Data S: System Programmers O: System Code in Development O: Repair Code O: Production Code O: Tools LEGEND O: System Programs S: Subjects O: Objects

28 LIPNER'S LATTICE Lipner's lattice uses 9 labels from a possible space of 192 labels (3 integrity levels, 2 integrity compartments, 2 confidentiality levels, and 3 confidentiality compartments) The single lattice shown here can be constructed directly from first principles

29 LIPNER'S LATTICE The position of the audit trail at lowest integrity demonstrates the limitation of an information flow approach to integrity System control subjects are exempted from the star-property and allowed to write down (with respect to confidentiality) or equivalently write up (with respect to integrity)

30 DYNAMIC LABELS IN BLP Tranquility (most common): λ is static for subjects and objects BLP without tranquility may be secure or insecure depending upon the specific dynamics of labelling Noninterference can be used to prove the security of BLP with dynamic labels

31 DYNAMIC LABELS IN BLP High water mark on subjects: λ is static for objects λ may increase but not decrease for subjects Is secure and is useful High water mark on objects: λ is static for subjects λ may increase but not decrease for subjects Is insecure due to disappearing object signaling channel

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback