P1L6 Flashcards
Discretionary Access Control (DAC)
owner of resource decides how it can be shared
problems with DAC
- information flow problem (cannot control that if someone has access to a file would further share the contain of it)
- in many organizations, the user does not get to decide how/who to share
Mandatory Access Control (MAC)
- company and users in the company will decide who has access to the data.
- Regulatory requirements might limit sharing
label in MAC
- indicate sensitivity/category/clearance/need-to-know
- TCB associates labels with object/user
- exact nature of label depends on model/policy
comparing labels
- dominate
- equal
- not comparable
BLP read down rule (simple security)
- user can read documents at lower security
BLP write up rule (star property)
- user can write documents at higher security
tranquility principle
classification of an obj/subj does not change during a session
biba vs BLP
- biba focuses on integrity while BLP focuses on confidentiality
- biba read up, write down
policy for commercial environments
- clearance is not common
- data can only be accessed by certain applications
- separation-of-duty & conflict-of-interest
clark-wilson policy
usser -> program -> obj
chinese wall policy
user can not access obj from another user in the same conflict class
trusting software
- functional correctness
- maintain data integrity
- protect disclosure of sensitive data
- confidence
TCB design principle
- least privilege for users/programs
- economy: keep trusted code as small as possible
- open design: obscurity doesn’t work
- complete mediation
- fail safe default
- easy of use
how to build a TCB
- authentication
- access control (MAC & DAC)
how to protect data in OS
it needs to protect itself (tamperproof)
data protection security features of trusted OS
- object reuse protection
- disk blocks, mem reuse
- allocate disk or mem, then look to see what’s left behind
- zero out objs before use
- secure file deletion
- secure disk destruction
kernel design requirements
- enforce all sec mechanisms
- good isolation, small size
- reference monitor controls access to objects
- tamperproof
- un-bypassable
- analyzable
use of testing
- demonstrate the existence of problem
testing challenge
- test case generation
- code coverage
- exponential number of different executions
- different execution environments
formal verification
- checking a mathematical specification of a program
- model checking, automated theorem proving
- exponential time & space complexity
model checking can show absence of a problem
True. Model checking is a form of formal verification.
