Integrity Considerations for Secure Computer Systems
Abstract
An integrity policy defines formal access constraints which, if effectively enforced, protect data from improper modification. The author identifies the integrity problems posed by a secure military computer utility. Integrity policies addressing these problems are developed and their effectiveness evaluated. A prototype secure computer utility, Multics, is then used as a testbed for the application of the developed access controls.
... According to the PR inte and taint rules, STBAC can meet the three conditions of the "Low-Water Mark Policy for Objects" in Biba's model [6], which are: ...
... LOMAC has similar ideas with ours. It implements the Low-Water-Mark model [6] in Linux kernel, and aims to bring simple but useful MAC integrity protection to Linux. It maintains good compatibility with existing software. ...
Today, security threats to operating systems largely come from network. Traditional discretionary access control mechanism alone can hardly defeat them. Although traditional mandatory access control models can effectively protect the security of OS, they have problems of being incompatible with application software and complex in administration. In this paper, we propose a new model, Suspicious-Taint-Based Access Control (STBAC) model, for defeating network attacks while being compatible, simple and maintaining good system performance. STBAC regards the processes using Non-Trustable-Communications as the starting points of suspicious taint, traces the activities of the suspiciously tainted processes by taint rules, and forbids the suspiciously tainted processes to illegally access vital resources by protection rules. Even in the cases when some privileged processes are subverted, STBAC can still protect vital resources from being compromised by the intruder. We implemented the model in the Linux kernel and evaluated it through experiments. The evaluation showed that STBAC could protect vital resources effectively without significant impact on compatibility and performance.
... System integrity 16 is the quality of a system to perform its intended function without being impaired by unauthorized manipulation, whether intentional or accidental. This implies the absence of inappropriate alteration in the state of the system. ...
... Even traditionally security-related topics such as domain separation have broad merit. For example, the Biba access-control model [6] is equally useful whether low-integrity data is the result of malicious attacks, honest mistakes, or timeliness requirements. ...
We initiate the study of Access Control Encryption (ACE), a novel cryptographic primitive that allows fine-grained access control, by giving different rights to different users not only in terms of which messages they are allowed to receive, but also which messages they are allowed to send. Classical examples of security policies for information flow are the well known Bell-Lapadula [BL73] or Biba [Bib75] model: in a nutshell, the Bell-Lapadula model assigns roles to every user in the system (e.g., public, secret and top-secret). A users' role specifies which messages the user is allowed to receive (i.e., the no read-up rule, meaning that users with public clearance should not be able to read messages marked as secret or top-secret) but also which messages the user is allowed to send (i.e., the no write-down rule, meaning that a user with top-secret clearance should not be able to write messages marked as secret or public). To the best of our knowledge, no existing cryptographic primitive allows for even this simple form of access control, since no existing cryptographic primitive enforces any restriction on what kind of messages one should be able to encrypt. Our contributions are: - Introducing and formally defining access control encryption (ACE); - A construction of ACE with complexity linear in the number of the roles based on classic number theoretic assumptions (DDH, Paillier); - A construction of ACE with complexity polylogarithmic in the number of roles based on recent results on cryptographic obfuscation;
The approach proposed in this article integrates the Attribute-Based Access Control (ABAC) model and the Alloy modeling tool to enhance security in cloud environments, whet alher collaborative or non-collaborative. Cloud computing facilitates data management, particularly in collaborative environments that promote teamwork, but this increased flexibility introduces more complex security challenges. In contrast, non-collaborative environments offer stricter access control, thereby improving security while limiting the flexibility of interactions. The ABAC model allows for the definition of fine-grained access policies based on user roles, context, and data sensitivity, making it an ideal solution for protecting Electronic Health Records (EHR). With dynamic access management, only authorized individuals can view or manipulate sensitive data. The use of Alloy enables the formalization and testing of these security policies by simulating different access scenarios to verify the consistency of the rules and understand the trade-offs bet alween security and flexibility. Thus, the combination of ABAC and Alloy provides a robust solution for managing access in complex cloud environments while ensuring optimal protection of sensitive data.
Protection of computations and information is an important aspect of a computer utility. In a system which uses segmentation as a memory addressing scheme, protection can be achieved in part by associating concentric rigns of decreasing access privilege with a computation. The mechanisms allow cross-ring calls and subsequent returns to occur without trapping to the supervisor. Automatic hardware validation of references across ring boundaries is also performed. Thus, a call by a user procedure to a protected subsystem (including the supervisor) is identical to a call to a companion user procedure. The mechanisms of passing and referencing arguments are the same in both cases as well.
At present, the system described in this paper has not been approved by the Department of Defense for processing classified information. This paper does not represent DOD policy regarding industrial application of time- or resource-sharing of EDP equipment.
This paper presents the design of a kernel for certifiably secure computer systems being built on the Digital Equipment Corporation PDP-11/45. The design applies a general purpose mathematical model of secure computer systems to an off-the-shelf computer. An overview of the model is given. The paper includes a specification of the design that will be the basis for a rigorous proof of the correspondence between the model and the design. This design and implementation has demonstrated the technical feasibility of the security kernel approach for designing secure computer systems.
Certification is the approval, by some appropriate authority, that a system meets some functional criteria. In the past, critical software systems, such as security controls have not been certifiable because of the unavailability of a formal validation technique. This paper establishes such a formal methodology for validating the correctness of a software system. The methodology is both rigorous and general and is suitable for certifying the effectiveness of software security controls that are to be used in an open environment. A companion volume will develop a detailed example based on a security kernel for a PDP-11/45.
The report presents a mathematical model which specifies the security constraints applicable to computer systems which simultaneously handle data of different sensitivity levels. This model is used to develop a model of security for computer systems which have directory structured file systems. (Author)
This document is a collection of working papers produced by the members of the Computer Security Branch, Directorate of Information Systems Technology, Deputy for Command and Management Systems. These papers identify the direction of ongoing computer security efforts. (Author)
The report describes practical protection mechanisms that allow mutually suspicious subsystems to cooperate in a single computation and still be protected from one another. The mechanisms are based on the division of a computation into independent domains of access privilege, each of which may encapsulate a protected subsystem. The central component of the mechanisms is a hardware processor that automatically enforces the access constraints associated with a multidomain computation implemented as a single execution point in a segmented virtual memory.