More Books
Introduction to Computer Security
Introduction to Computer Security
Table of Contents
Copyright
Preface
Goals
Philosophy
Organization
Differences Between this Book and Computer Security: Art and Science
Special Acknowledgment
Acknowledgments
Chapter 1. An Overview of Computer Security
Section 1.1.  The Basic Components
Section 1.2.  Threats
Section 1.3.  Policy and Mechanism
Section 1.4.  Assumptions and Trust
Section 1.5.  Assurance
Section 1.6.  Operational Issues
Section 1.7.  Human Issues
Section 1.8.  Tying It All Together
Section 1.9.  Summary
Section 1.10.  Further Reading
Section 1.11.  Exercises
Chapter 2. Access Control Matrix
Section 2.1.  Protection State
Section 2.2.  Access Control Matrix Model
Section 2.3.  Protection State Transitions
Section 2.4.  Summary
Section 2.5.  Further Reading
Section 2.6.  Exercises
Chapter 3. Foundational Results
Section 3.1.  The General Question
Section 3.2.  Basic Results
Section 3.3.  Summary
Section 3.4.  Further Reading
Section 3.5.  Exercises
Chapter 4. Security Policies
Section 4.1.  Security Policies
Section 4.2.  Types of Security Policies
Section 4.3.  The Role of Trust
Section 4.4.  Types of Access Control
Section 4.5.  Example: Academic Computer Security Policy
Section 4.6.  Summary
Section 4.7.  Further Reading
Section 4.8.  Exercises
Chapter 5. Confidentiality Policies
Section 5.1.  Goals of Confidentiality Policies
Section 5.2.  The Bell-LaPadula Model
Section 5.3.  Summary
Section 5.4.  Further Reading
Section 5.5.  Exercises
Chapter 6. Integrity Policies
Section 6.1.  Goals
Section 6.2.  Biba Integrity Model
Section 6.3.  Clark-Wilson Integrity Model
Section 6.4.  Summary
Section 6.5.  Further Reading
Section 6.6.  Exercises
Chapter 7. Hybrid Policies
Section 7.1.  Chinese Wall Model
Section 7.2.  Clinical Information Systems Security Policy
Section 7.3.  Originator Controlled Access Control
Section 7.4.  Role-Based Access Control
Section 7.5.  Summary
Section 7.6.  Further Reading
Section 7.7.  Exercises
Chapter 8. Basic Cryptography
Section 8.1.  What Is Cryptography?
Section 8.2.  Classical Cryptosystems
Section 8.3.  Public Key Cryptography
Section 8.4.  Cryptographic Checksums
Section 8.5.  Summary
Section 8.6.  Further Reading
Section 8.7.  Exercises
Chapter 9. Key Management
Section 9.1.  Session and Interchange Keys
Section 9.2.  Key Exchange
Section 9.3.  Cryptographic Key Infrastructures
Section 9.4.  Storing and Revoking Keys
Section 9.5.  Digital Signatures
Section 9.6.  Summary
Section 9.7.  Further Reading
Section 9.8.  Exercises
Chapter 10. Cipher Techniques
Section 10.1.  Problems
Section 10.2.  Stream and Block Ciphers
Section 10.3.  Networks and Cryptography
Section 10.4.  Example Protocols
Section 10.5.  Summary
Section 10.6.  Further Reading
Section 10.7.  Exercises
Chapter 11. Authentication
Section 11.1.  Authentication Basics
Section 11.2.  Passwords
Section 11.3.  Challenge-Response
Section 11.4.  Biometrics
Section 11.5.  Location
Section 11.6.  Multiple Methods
Section 11.7.  Summary
Section 11.8.  Further Reading
Section 11.9.  Exercises
Chapter 12. Design Principles
Section 12.1.  Overview
Section 12.2.  Design Principles
Section 12.3.  Summary
Section 12.4.  Further Reading
Section 12.5.  Exercises
Chapte 13. Representing Identity
Section 13.1.  What Is Identity?
Section 13.2.  Files and Objects
Section 13.3.  Users
Section 13.4.  Groups and Roles
Section 13.5.  Naming and Certificates
Section 13.6.  Identity on the Web
Section 13.7.  Summary
Section 13.8.  Further Reading
Section 13.9.  Exercises
Chapter 14. Access Control Mechanisms
Section 14.1.  Access Control Lists
Section 14.2.  Capabilities
Section 14.3.  Locks and Keys
Section 14.4.  Ring-Based Access Control
Section 14.5.  Propagated Access Control Lists
Section 14.6.  Summary
Section 14.7.  Further Reading
Section 14.8.  Exercises
Chapter 15. Information Flow
Section 15.1.  Basics and Background
Section 15.2.  Compiler-Based Mechanisms
Section 15.3.  Execution-Based Mechanisms
Section 15.4.  Example Information Flow Controls
Section 15.5.  Summary
Section 15.6.  Further Reading
Section 15.7.  Exercises
Chapter 16. Confinement Problem
Section 16.1.  The Confinement Problem
Section 16.2.  Isolation
Section 16.3.  Covert Channels
Section 16.4.  Summary
Section 16.5.  Further Reading
Section 16.6.  Exercises
Chapter 17. Introduction to Assurance
Section 17.1.  Assurance and Trust
Section 17.2.  Building Secure and Trusted Systems
Section 17.3.  Building Security In or Adding Security Later
Section 17.4.  Summary
Section 17.5.  Further Reading
Section 17.6.  Exercises
Chapter 18. Evaluating Systems
Section 18.1.  Goals of Formal Evaluation
Section 18.2.  TCSEC: 19831999
Section 18.3.  FIPS 140: 1994Present
Section 18.4.  The Common Criteria: 1998Present
Section 18.5.  SSE-CMM: 1997Present
Section 18.6.  Summary
Section 18.7.  Further Reading
Section 18.8.  Exercises
Chapter 19. Malicious Logic
Section 19.1.  Introduction
Section 19.2.  Trojan Horses
Section 19.3.  Computer Viruses
Section 19.4.  Computer Worms
Section 19.5.  Other Forms of Malicious Logic
Section 19.6.  Defenses
Section 19.7.  Summary
Section 19.8.  Further Reading
Section 19.9.  Exercises
Chapter 20. Vulnerability Analysis
Section 20.1.  Introduction
Section 20.2.  Penetration Studies
Section 20.3.  Vulnerability Classification
Section 20.4.  Frameworks
Section 20.5.  Summary
Section 20.6.  Further Reading
Section 20.7.  Exercises
Chapter 21. Auditing
Section 21.1.  Definitions
Section 21.2.  Anatomy of an Auditing System
Section 21.3.  Designing an Auditing System
Section 21.4.  A Posteriori Design
Section 21.5.  Auditing Mechanisms
Section 21.6.  Examples: Auditing File Systems
Section 21.7.  Audit Browsing
Section 21.8.  Summary
Section 21.9.  Further Reading
Section 21.10.  Exercises
Chapter 22. Intrusion Detection
Section 22.1.  Principles
Section 22.2.  Basic Intrusion Detection
Section 22.3.  Models
Section 22.4.  Architecture
Section 22.5.  Organization of Intrusion Detection Systems
Section 22.6.  Intrusion Response
Section 22.7.  Summary
Section 22.8.  Further Reading
Section 22.9.  Exercises
Chapter 23. Network Security
Section 23.1.  Introduction
Section 23.2.  Policy Development
Section 23.3.  Network Organization
Section 23.4.  Availability and Network Flooding
Section 23.5.  Anticipating Attacks
Section 23.6.  Summary
Section 23.7.  Further Reading
Section 23.8.  Exercises
Chapter 24. System Security
Section 24.1.  Introduction
Section 24.2.  Policy
Section 24.3.  Networks
Section 24.4.  Users
Section 24.5.  Authentication
Section 24.6.  Processes
Section 24.7.  Files
Section 24.8.  Retrospective
Section 24.9.  Summary
Section 24.10.  Further Reading
Section 24.11.  Exercises
Chapter 25. User Security
Section 25.1.  Policy
Section 25.2.  Access
Section 25.3.  Files and Devices
Section 25.4.  Processes
Section 25.5.  Electronic Communications
Section 25.6.  Summary
Section 25.7.  Further Reading
Section 25.8.  Exercises
Chapter 26. Program Security
Section 26.1.  Introduction
Section 26.2.  Requirements and Policy
Section 26.3.  Design
Section 26.4.  Refinement and Implementation
Section 26.5.  Common Security-Related Programming Problems
Section 26.6.  Testing, Maintenance, and Operation
Section 26.7.  Distribution
Section 26.8.  Conclusion
Section 26.9.  Summary
Section 26.10.  Further Reading
Section 26.11.  Exercises
Chapter 27. Lattices
Section 27.1.  Basics
Section 27.2.  Lattices
Section 27.3.  Exercises
Chapter 28. The Extended Euclidean Algorithm
Section 28.1.  The Euclidean Algorithm
Section 28.2.  The Extended Euclidean Algorithm
Section 28.3.  Solving ax mod n = 1
Section 28.4.  Solving ax mod n = b
Section 28.5.  Exercises
Chapter 29. Virtual Machines
Section 29.1.  Virtual Machine Structure
Section 29.2.  Virtual Machine Monitor
Section 29.3.  Exercises
Bibliography
Index
SYMBOL
A
E
F
I
L
T

7.1. Chinese Wall Model

The Chinese Wall model [133] is a model of a security policy that refers equally to confidentiality and integrity. It describes policies that involve a conflict of interest in business, and is as important to those situations as the Bell-LaPadula Model is to the military. For example, British law requires the use of a policy similar to this, and correct implementation of portions of the model provides a defense in cases involving certain criminal charges [586, 587]. The environment of a stock exchange or investment house is the most natural environment for this model. In this context, the goal of the model is to prevent a conflict of interest in which a trader represents two clients, and the best interests of the clients conflict, so the trader could help one gain at the expense of the other.

Consider the database of an investment house. It consists of companies' records about investment and other data that investors are likely to request. Analysts use these records to guide the companies' investments, as well as those of individuals. Suppose Anthony counsels Bank of America in its investments. If he also counsels Citibank, he has a potential conflict of interest, because the two banks' investments may come into conflict. Hence, Anthony cannot counsel both banks.

The following definitions capture this:

Definition 71. The objects of the database are items of information related to a company.

Definition 72. A company dataset (CD) contains objects related to a single company.

Definition 73. A conflict of interest (COI) class contains the datasets of companies in competition.

Let COI(O) represent the COI class that contains object O, and let CD(O) be the company dataset that contains object O. The model assumes that each object belongs to exactly one COI class.

Anthony has access to the objects in the CD of Bank of America. Because the CD of Citibank is in the same COI class as that of Bank of America, Anthony cannot gain access to the objects in Citibank's CD. Thus, this structure of the database provides the required ability. (See Figure 7-1.)

Figure 7-1. The Chinese Wall model database. It has two COI classes. The one for banks contains three CDs. The other one, for gasoline companies, contains four CDs. Each (COI, CD) pair is represented by a lowercase letter (for example, (Bank COI, Citibank) is c). Susan may have access to no more than one CD in each COI, so she could access Citibank's CD and ARCO's CD, but not Citibank's CD and Bank of America's CD.


This implies a temporal element. Suppose Anthony first worked on Bank of America's portfolio and was then transferred to Citibank's portfolio. Even though he is working only on one CD in the bank COI class at a time, much of the information he learned from Bank of America's portfolio will be current. Hence, he can guide Citibank's investments using information about Bank of Americaa conflict of interest. This leads to the following rule, where PR(S) is the set of objects that S has read.

  • CW-Simple Security Condition, Preliminary Version: S can read O if and only if either of the following is true.

    1. There is an object O' such that S has accessed O' and CD(O' ) = CD(O).

    2. For all objects O', O' PR(S) COI(O') COI(O).

Initially, PR(S) = Ø, and the initial read request is assumed to be granted. Given these assumptions, in the situation above, Bank of America's COI class and Citibank's COI class are the same, so the second part of the CW-simple security condition applies, and Anthony cannot access an object in the former, having already accessed an object in the latter.

Two immediate consequences of this rule affect subject rights. First, once a subject reads any object in a COI class, the only other objects in that COI class that the subject can read are in the same CD as the read object. So, if Susan accesses some information in Citibank's CD, she cannot later access information in Bank of America's CD.

Second, the minimum number of subjects needed to access every object in a COI class is the same as the number of CDs in that COI class. If the gasoline company COI class has four CDs, then at least four analysts are needed to access all information in the COI class. Thus, any trading house must have at least four analysts to access all information in that COI class without creating a conflict of interest.

In practice, companies have information they can release publicly, such as annual stockholders' reports and filings before government commissions. The Chinese Wall model should not consider this information restricted, because it is available to all. Hence, the model distinguishes between sanitized data and unsanitized data; the latter falls under the CW-simple security condition, preliminary version, whereas the former does not. The CW-simple security condition can be reformulated to include this notion.

  • CW-Simple Security Condition: S can read O if and only if any of the following holds.

    1. There is an object O' such that S has accessed O' and CD(O') = CD(O).

    2. For all objects O', O' PR(S) COI(O') COI(O).

    3. O is a sanitized object.

Suppose Anthony and Susan work in the same trading house. Anthony can read objects in Bank of America's CD, and Susan can read objects in Citibank's CD. Both can read objects in ARCO's CD. If Anthony can also write to objects in ARCO's CD, then he can read information from objects in Bank of America's CD and write to objects in ARCO's CD, and then Susan can read that information; so, Susan can indirectly obtain information from Bank of America's CD, causing a conflict of interest. The CW-simple security condition must be augmented to prevent this.

  • CW-*-Property: A subject S may write to an object O if and only if both of the following conditions hold.

    1. The CW-simple security condition permits S to read O.

    2. For all unsanitized objects O', S can read O' CD(O') = CD(O).

In the example above, Anthony can read objects in both Bank of America's CD and ARCO's CD. Thus, condition 1 is met. However, assuming that Bank of America's CD contains unsanitized objects (a reasonable assumption), then because Anthony can read those objects, condition 2 is false. Hence, Anthony cannot write to objects in ARCO's CD.

7.1.1. Bell-LaPadula and Chinese Wall Models

The Bell-LaPadula Model and the Chinese Wall model are fundamentally different. Subjects in the Chinese Wall model have no associated security labels, whereas subjects in the Bell-LaPadula Model do have such labels. Furthermore, the Bell-LaPadula Model has no notion of "past accesses," but this notion is central to the Chinese Wall model's controls.

To emulate the Chinese Wall model using Bell-LaPadula, we assign a security category to each (COI, CD) pair. We define two security levels, S (for sanitized) and U (for unsanitized). By assumption, S dom U. Figure 7-2 illustrates this mapping for the system in Figure 7-1. Each object is transformed into two objects, one sanitized and one unsanitized.

Figure 7-2. The relevant parts of the Bell-LaPadula lattice induced by the transformation applied to the system in Figure 7-1. For example, a subject with security clearance in class (U, {a,s}) can read objects with labels (U, {a}) and (U, {s}). The Bell-LaPadula Model defines other compartments (such as U, {a, b}), but because these would allow access to different CDs in the same COI class, the Chinese Wall model requires that compartment to be empty.

[View full size image]


Each subject in the Chinese Wall model is then assigned clearance for the compartments that do not contain multiple categories corresponding to CDs in the same COI class. For example, if Susan can read the Bank of America and ARCO CDs, her processes would have clearance for compartment (U, {a, n}). There are three possible clearances from the bank COI class, and four possible clearances from the gasoline company COI class, combining to give 12 possible clearances for subjects. Of course, all subjects can read all sanitized data.

The CW-simple security condition clearly holds. The CW-*-property also holds, because the Bell-LaPadula *-property ensures that the category of input objects is a subset of the category of output objects. Hence, input objects are either sanitized or in the same category (that is, the same CD) as that of the subject.

This construction shows that at any time the Bell-LaPadula Model can capture the state of a system using the Chinese Wall model. But the Bell-LaPadula Model cannot capture changes over time. For example, suppose Susan falls ill, and Anna needs to access one of the datasets to which Susan has access. How can the system know if Anna is allowed to access that dataset? The Chinese Wall model tracks the history of accesses, from which Anna's ability to access the CD can be determined. But if the corresponding category is not in Anna's clearances, the Bell-LaPadula Model does not retain the history needed to determine whether her accessing the category would violate the Chinese Wall constraints.

A second, more serious problem arises when one considers that subjects in the Chinese Wall model may choose which CDs to access; in other words, initially a subject is free to access all objects. The Chinese Wall model's constraints grow as the subject accesses more objects. However, from the initial state, the Bell-LaPadula Model constrains the set of objects that a subject can access. This set cannot change unless a trusted authority (such as a system security officer) changes subject clearances or object classifications. The obvious solution is to clear all subjects for all categories, but this means that any subject can read any object, which violates the CW-simple security condition.

Hence, the Bell-LaPadula Model cannot emulate the Chinese Wall model faithfully. This demonstrates that the two policies are distinct.

However, the Chinese Wall model can emulate the Bell-LaPadula Model; the construction is left as an exercise for the reader. (See Exercise 1.)

7.1.2. Clark-Wilson and Chinese Wall Models

The Clark-Wilson model deals with many aspects of integrity, such as validation and verification, as well as access control. Because the Chinese Wall model deals exclusively with access control, it cannot emulate the Clark-Wilson model fully. So, consider only the access control aspects of the Clark-Wilson model.

The representation of access control in the Clark-Wilson model is the second enforcement rule, ER2. That rule associates users with transformation procedures and CDIs on which they can operate. If one takes the usual view that "subject" and "process" are interchangeable, then a single person could use multiple processes to access objects in multiple CDs in the same COI class. Because the Chinese Wall model would view processes independently of who was executing them, no constraints would be violated. However, by requiring that a "subject" be a specific individual and including all processes executing on that subject's behalf, the Chinese Wall model is consistent with the Clark-Wilson model.