Bài giảng về an toàn bảo mật hệ thống thông tin Chính sách bảo mật
Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (58.68 KB, 16 trang )
Slide #5-1
Chính sách b o m tả ậ
•
T ng quanổ
–
What is a confidentiality model
•
Mô hình Bell-LaPadula
–
General idea
–
Informal description of rules
Slide #5-2
Chính sách b o m tả ậ
•
M c tiêu: Ng n ch n vi c ti t l thông tin ụ ă ặ ệ ế ộ
m t cách trái phépộ
–
Deals with information flow
–
Integrity incidental
•
Các mô hình an ninh a c p là ví d i n đ ấ ụđể
hình
–
Bell-LaPadula Model basis for many, or most,
of these
Slide #5-3
Bell-LaPadula Model, Step 1
•
Các c p an ninh c s p x p tuy n tínhấ độ đượ ắ ế ế
–
Top Secret: highest
–
Secret
–
Confidential
–
Unclassified: lowest
•
Levels consist of security clearance L(s)
–
Objects have security classification L(o)
Slide #5-4
Example
security level subject object
Top Secret Tamara Personnel Files
Secret Samuel E-Mail Files
Confidential Claire Activity Logs
Unclassified Ulaley Telephone Lists
•
Tamara can read all files
•
Claire cannot read Personnel or E-Mail Files
•
Ulaley can only read Telephone Lists
Slide #5-5
c thông tinĐọ
•
Information flows down, not up
–
“Reads up” disallowed, “reads down” allowed
•
Simple Security Condition (Step 1)
–
Subject s can read object o iff L(o) ≤ L(s) and s
has permission to read o
•
Note: combines mandatory control (relationship of
security levels) and discretionary control (the
required permission)
–
Sometimes called “no reads up” rule
Slide #5-6
Ghi thông tin
•
Information flows up, not down
–
“Writes up” allowed, “writes down” disallowed
•
*-Property (Step 1)
–
Subject s can write object o iff L(s) ≤ L(o) and
s has permission to write o
•
Note: combines mandatory control (relationship of
security levels) and discretionary control (the
required permission)
–
Sometimes called “no writes down” rule
Slide #5-7
nh lý an ninh c b n, b c 1Đị ơ ả ướ
•
N u 1 h th ng kh i t o tr ng thái an ế ệ ố ở ạ ở ạ
toàn, và m i l n chuy n tr ng thái u th a ỗ ầ ể ạ đề ỏ
mã các i u ki n anh ninh n gi n (simple đề ệ đơ ả
securiy condition, step 1) và thu c tính * ộ
( property, step 1) thì m i tr ng thái c a h ọ ạ ủ ệ
th ng là an toàn.ố
–
Proof: induct on the number of transitions
Slide #5-8
Bell-LaPadula Model, Step 2
•
M r ng c p an ninh: Bao g m c phân ở ộ ấ độ ồ ả
lo i.ạ
•
Security level is (clearance, category set)
•
Examples
–
( Top Secret, { NUC, EUR, ASI } )
–
( Confidential, { EUR, ASI } )
–
( Secret, { NUC, ASI } )
Slide #5-9
C p và L iấ độ ướ
•
(A, C) dom (A
′
, C
′
) iff A′ ≤ A and C
′
⊆ C
•
Examples
–
(Top Secret, {NUC, ASI}) dom (Secret, {NUC})
–
(Secret, {NUC, EUR}) dom (Confidential,{NUC, EUR})
–
(Top Secret, {NUC}) ¬dom (Confidential, {EUR})
•
Let C be set of classifications, K set of categories.
Set of security levels L = C × K, dom form lattice
–
lub(L) = (max(A), C)
–
glb(L) = (min(A), ∅)
Slide #5-10
C p và th tấ độ ứ ự
•
C p an ninh c x p th t t ng ph nấ độ đượ ế ứ ự ừ ầ
–
Any pair of security levels may (or may not) be
related by dom
•
“dominates” – bao hàm có ý ngh a t ng t ĩ ươ ự
“l n h n” trong step 1ớ ơ
–
“greater than” is a total ordering, though
Slide #5-11
c thông tinĐọ
•
Information flows up, not down
–
“Reads up” disallowed, “reads down” allowed
•
Simple Security Condition (Step 2)
–
Subject s can read object o iff L(s) dom L(o)
and s has permission to read o
•
Note: combines mandatory control (relationship of
security levels) and discretionary control (the
required permission)
–
Sometimes called “no reads up” rule
Slide #5-12
Ghi thông tin
•
Information flows up, not down
–
“Writes up” allowed, “writes down” disallowed
•
*-Property (Step 2)
–
Subject s can write object o iff L(o) dom L(s)
and s has permission to write o
•
Note: combines mandatory control (relationship of
security levels) and discretionary control (the
required permission)
–
Sometimes called “no writes down” rule
Slide #5-13
Basic Security Theorem, Step 2
•
If a system is initially in a secure state, and every
transition of the system satisfies the simple
security condition, step 2, and the *-property, step
2, then every state of the system is secure
–
Proof: induct on the number of transitions
–
In actual Basic Security Theorem, discretionary access
control treated as third property, and simple security
property and *-property phrased to eliminate
discretionary part of the definitions — but simpler to
express the way done here.
Slide #5-14
V n ấ đề
•
i tá có c p an ninh (Secret, {NUC, Đạ ấ độ
EUR})
•
Thi u ta có c p an ninh (Secret, {EUR})ế ấ độ
–
Thi u tá có th trao i thông tin cho i tá ế ể đổ Đạ
(“write up” or “read down”)
–
i tá không th trao i thông tin cho thi u tá Đạ ể đổ ế
(“read up” or “write down”)
•
Có s b t h p lý!ự ấ ợ
Slide #5-15
Gi i phápả
•
nh ngh a các c p an ninh cao nh t/hi n t iĐị ĩ ấ độ ấ ệ ạ
–
maxlevel(s) dom curlevel(s)
•
Ví dụ
–
Xem thi u tá nh 1 object ( i tá c n truy n thông tin ế ư Đạ ầ ề
cho anh ta).
–
i ta có Đạ maxlevel (Secret, { NUC, EUR })
–
i tá thi t l p Đạ ế ậ curlevel to (Secret, { EUR })
–
Khi ó đ L(Major) dom curlevel(Colonel)
•
i tá có th truy n thông tin cho thi u tá mà không vi ph m Đạ ể ề ế ạ
lu t “no writes down”ậ
Slide #5-16
Key Points
•
Confidentiality models restrict flow of
information
•
Bell-LaPadula models multilevel security
–
Cornerstone of much work in computer security
