Authorization and Access Control
4.3 Mandatory Access Control Policies
46 S. De Capitani di Vimercati, S. Foresti, P. Samarati
TS,{Financial,Economic}
TS,{Financial}
ii ii ii ii i
S,{Financial,EconomicUUUUUUUU} TS,{Economic} S,{Financial}
ii ii ii ii i
TS,{}
ii ii ii ii ii UUUUUUUUUU
S,{Economic}
UUUUUUUU
S,{}
UUUUUUUUUUU iiiiiiiiii Fig. 4.5.An example of a security lattice
byAnnandCarol. In this way, information inInvoice2is made readable to AnnandCarol.
Moreover, the security of a system based on discretionary access control is not easy to evaluate, due to the so-called safety problem, which is undecidable.
4 Authorization and Access Control 47 clearance, reflects the degree of trust placed in the subject not to disclose sensitive information to users not cleared to see it. The set of categories asso-ciated with both subjects and objects defines the area of competence of users and data. Categories reflect the need-to-know principle according to which a subject should only access the information she actually needs to know to perform her job. A user can then connect to the system using her clearance or any access class dominated by her clearance. For instance, with reference to the lattice in Fig. 4.5, a user clearedTS,{Financial}can connect to the system as a TS,{Financial}, S,{Financial}, TS,∅, or S,∅ subject. A user connecting to the system generates a process with the same access class associated with the corresponding user. The access requests submitted by a subject are then evaluated by applying the following two principles.
No-read-up. A subjectscan read an objectoif and only if the access class of the subject dominates the access class of the object.
No-write-down. A subjectscan write an objectoif and only if the access class of the object dominates the access class of the subject.
These two principles prevent information flowing from high-level sub-jects/objects to subsub-jects/objects at lower (or incomparable) levels, thereby ensuring the satisfaction of the protection requirements. A subject can write only objects that are more sensitive than the objects she can read. Given the no-write-down principle, it is easy to see why users are allowed to con-nect to the system at different access classes, so that they are able to access information at different levels (provided that they are cleared for it).
Example 1.Suppose that resources Invoice1 and Invoice2 are classified TS,{Financial,Economic}, resourcesOrder1andOrder2are classifiedS, {Economic}, and the clearance ofAnnisTS,{Financial,Economic}. It is easy to see, that to modify objects Order1 and Order2, Annhas to connect to the system with, for example, access class S, {Economic}. By contrast, independently from the access class with which Annconnects to the system, she can read objectsOrder1andOrder2.
Although the no-read-up and no-write-down principles prevent dangerous flows of information from highly sensitive objects to less sensitive objects, these principles may turn out to be too restrictive. For instance, in a real sit-uation data may need to be downgraded (e.g., this may happen at the end of the embargo). To consider these situations as well, secrecy-based mandatory models should handle exceptions to processes that aretrusted and ensure that information issanitized.
The secrecy-based control principles just illustrated summarize the ba-sic axioms of the security model proposed by David Bell and Leonard La-Padula [9, 10, 11, 12]. The first version of the Bell and LaLa-Padula model is based on two criteria: the simple property, which formalizes the no-read-up principle, and the *-property, which formalizes the no-write-down principle.
48 S. De Capitani di Vimercati, S. Foresti, P. Samarati
C,{Financial,Economic}
C,{Financial}
ii ii ii ii
I,{Financial,EconomicTTTTTTTT} C,{Economic} I,{Financial}
ii ii ii ii
C,{}
jj jj jj jj jj UUUUUUUUUU
I,{Economic}
TTTTTTTT
I,{}
UUUUUUUUUU jjjjjjjjjj Fig. 4.6.An example of an integrity lattice
The first formulation of the model however presents a problem related to the fact that no restriction is put on transitions. This implies that the Bell and LaPadula notion of security is also satisfied by a system that, when a subject requests any type of access to an objecto, downgrades to the lowest possible access class every subject and object, and the access is granted. Intuitively, this problem can be avoided if the security level of an object cannot be changed while it is in use.
This principle is captured by an informal principle, called thetranquility principle. Another property included in the Bell and LaPadula model is the discretionary property, stating that the set of current accesses is a subset of the access matrix A. Intuitively, it enforces discretionary controls.
4.3.2 Integrity-Based Mandatory Policy
The mandatory policy described in the previous section only guarantees data confidentiality and does not protect data integrity. To avoid such a problem, Biba introduced an integrity model [13], which controls the flow of informa-tion and prevents subjects fromindirectlymodifying information they cannot write. Just as for the secrecy-based model, each subject and object is asso-ciated with an integrity class, composed of an integrity level and a set of categories. The integrity level of an integrity class associated with a user re-flects the degree of trust placed in the subject to insert and modify sensitive information. The integrity level of an integrity class associated with an object indicates the degree of trust placed on the information stored in the object and the potential damage that could result from unauthorized modifications of the information. Figure 4.6 illustrates an example of an integrity lattice, where there are two integrity levels, namelyCrucial(C) andImportant(I), and two categories, namelyFinancialandEconomic. Each access request of a subject on an object is evaluated with respect to the following two principles.
No-read-down. A subjectscan read an objectoif and only if the integrity class of the object dominates the integrity class of the subject.
No-write-up. A subject scan write an objecto if and only if the integrity class of the subject dominates the integrity class of the object.
4 Authorization and Access Control 49 These two principles are the dual of the two principles defined by Bell and LaPadula. The integrity model prevents flows of information from low-level objects to higher-level objects.
Example 2.Suppose that the integrity class associated with Invoice1 and Invoice2 is C, {Financial, Economic}, and the integrity class associated withOrder1andOrder2isI,{Economic}. If userAnninvokes an application when she is connected to the system with integrity classC,{Economic}, the corresponding subject will be allowed to readInvoice1andInvoice2and to writeOrder1andOrder2.
Note that the secrecy-based and integrity-based policies are not mutually exclusive. This means that, if the main goal of a system is to protect both the confidentiality and the integrity of its resources, the system can apply these two policies at the same time. However, objects and subjects have to be assigned two access classes, one for secrecy control and one for integrity control.
Example 3.Consider Example 1 and Example 2 and suppose that the system applies both the secrecy-based policy and the integrity-based policy. In this case,Annis only allowed to readInvoice1andInvoice2.
A major limitation of the Biba model is that it only captures integrity compromises due to improper information flows. However, integrity is a much broader concept and additional aspects should be taken into account [1].
4.3.3 Drawbacks of the MAC
Although the mandatory policy protects data better than the discretionary policy, it has some problems. The main problem is that the mandatory policy controls only flows of information in the system that happen through overt channels, that is, channels operating in a legitimate way. Mandatory policy is instead vulnerable with respect to covert channels, which are channels not intended for normal communication, but can still be exploited to infer information. For instance, if a low-level subject requests the use of a resource currently in use by a high-level process, it will receive a negative response.
The system, by not allocating the resource because it is busy, can again be exploited to signal information at lower levels (high-level processes can modulate the signal by acquiring or releasing resources). Another important example of covert channels is represented by timing channels [14], used to infer information on the basis of the response time of the system: if the response time is longer than usual, a low-level subject can infer that there is another, more important, process using the same resource. Therefore, wherever there is a shared resource among different subjects or there exists a system property that can be measured, potentially there is also a covert channel [15]. It is important to note that these problems cannot be solved
50 S. De Capitani di Vimercati, S. Foresti, P. Samarati BobMMMMM Frank Gary Ann
tt tt
KK
KK Carol
qq qq q
NN NN N David
pp pp
p Elton
Fig. 4.7.An example of a privilege dependency graph
by giving higher priority to low-level processes as this policy may cause denials of service for high-level subjects. Covert channel analysis is usually carried out in the implementation phase, when it is possible to identify which system resources are shared among processes and which of them are measurable. There are also methods, called interface models [2, 15], that try to identify and eliminate covert channels in the advanced modeling phase.
The most important principle on which interface models are based is the noninterference principle: high-level input should not interfere with low-level output [16]. Obviously, the correctness of the system is not absolute, but it is relative to the specific model used for individuating covert channels.
Another drawback of MAC is that subjects and objects have to be classified and this may not always be feasible. Moreover, access is evaluated only on the basis of this classification, consequently the system may be too rigid.