Base

• The trusted computing base (TCB) is the sum total of all and hardware required to enforce Security Models security • Typically, all of hardware, the core OS that is involved in protection, and all programs that operate with system privileges • Desirable properties: Emin Gun Sirer – Small – Separable, well-defined – Independently-auditable

Reference Monitor Access Control

User • A reference monitor is a separable • Discretionary Access Control module that enforces access control – Individual users may determine the access controls decisions – .g. unix file system implements DAC • All sensitive operations are routed – This model works well in commercial and academic through the reference monitor environments, not so well in the military, hospitals, private web sites, etc. • The monitor then decides if the operation should proceed • Mandatory Access Control Reference – A site-wide security policy is enforced by the system in Monitor • Most commercial OSes do not have a addition to the discretionary access controls reference monitor TCB – Better suited to environments with rigid information access restrictions OS

1 Sample Covert Channel Multilevel Security

• The spymaster sits in a loop monitoring its own • “Multilevel” security refers to environments progress, e.g. how high can it count within a given where users form a hierarchy amount of time – Hierarchy may be linear, as in the military • The mole either computes ferociously or sits idle for – E.g. “unclassified,” “confidential,” “secret,” and “top a certain period secret.” • The spymaster can divine mole’s behavior based on – Or it could possibly be a lattice, as with roles his own progress – E.g. presidential security advisor – Information leaked through system behavior • Multilevel security models are designed to restrict • There are many other covert channels information flow in environments where users at multiple levels interact – Steganography, hidden messages in innocuous messages, e.g. in low-order bits of images – Military sites, hospitals, web sites, etc.

Bell-La Padula Model Biba Model

• Security property: A user at security level k can read only • Integrity property: A user at security level k can objects at level j, where j <= k write only objects at level j, j <= k – General can read lieutenant’s documents – But not the other way around • The integrity * property: A user at level k can read • The * property: A user at level k can write only objects at level only objects at level j, j >= k j, where j >= k • No write up, no read down – A lieutenant can send a message to a general – But not the other way around • Want Bell-La Padula and Biba in the same system, • Can read down and write up for different types of objects • Counterintuitive, but makes sense – information cannot leak – But Bell-La Padula and Biba are in direct conflict from a higher level to a lower level • In practice, a mix of discretionary and mandatory • Bell-La Padula was designed to keep secrets, not to protect access controls are used data integrity – Lieutenant can overwrite general’s files

2 Covert Channels Orange Book

• Confinement problem: Would like to confine secret • DOD published a document to classify the security of information to users with an appropriate clearance operating systems – Possible to use a reference monitor on overt accesses – Introduced some terminology: Levels A through D between processes – Classification technique to determine which OS goes where • A reference monitor is necessary but not enough • Level D: no requirements, catch all category – MSDOS, Windows 95/98/Me – Consider a system with a high-clearance mole who would like to sell information to a low-clearance process • Level C: cooperating users – A reference monitor can prohibit direct calls – C1: protected mode OS, user authentication, discretionary access control, testing, documentation – But the mole can leak information without a direct access – C2: discretionary access control down to users, objects initialized to zeros, auditing. UFS access perms fail C2, need ACLs

Orange Book Levels Orange Book Retrospective

• Levels B & A: all users and objects carry a • Good aspects: security label, system enforces Bell-LaPadula – Reasonable model – B2: system designed top-down in a modular way, – Underscores the importance of software engineering in verifiable, covert channel analysis constructing secure systems, eg. testing, modularity, auditing – B3: ACLs with users and groups, formal TCB, auditing, • Has it worked ? No. secure crash recovery – Cuts off secure OSes from mainline, commercial Oses – A1: formal model of protection, proof of correctness for – No economies of scale model, demo that implementation follows model • High ratings hard to attain • Result: – Aegis cruiser Yorktown running Windows NT towed to port – Some Unix and NT variants have C2 ratings when redundant, ruggedized divide by zero – Custom OSes for the military have higher ratings – CIA director goes home with classified data and connects to AOL

3