La gestión patrimonial de la Municipalidad

To solve the drawbacks of discretionary access control policies, mandatory ac- cess control policies make a distinction between users and subjects. Mandatory polices were introduced in the operating system context, where objects to be protected are essentially files containing the data. Later studies investigated the extension of mandatory policies to the database context [17, 18, 19, 20]. This topic will be treated in detail in a following chapter.

Mandatory policies are usually based on classifications associated with subjects and objects. The most common form of an access class is a pair of two elements: a security level and a set of categories. While security levels form a totally ordered set, a category is a member of an unordered set. Access classes form therefore a partially ordered set, where the partial order relation

≥, called dominance, is defined as follows: given two access classes c1and c2, c1 ≥ c2 (i.e., c1 dominates c2) iff the security level of c1 is greater than or

equal to the security level of c2 and the set of categories of c1includes the set

of categories of c2. Access classes together with their partial order dominance

relationship form a lattice [8]. Figure 4.5 illustrates an example of a lattice, where there are two security levels, namely Top Secret (TS) and Secret (S), with TS>S, and there are two categories, namely Financial and Economic.

4.3.1 Secrecy-Based Mandatory Policy

The main goal of a secrecy-based mandatory policy is to protect the confi- dentiality of information. In this case, the security level of the access class associated with an object reflects the sensitivity of the information it con- tains. The security level of the access class associated with a subject, called

4 Authorization and Access Control 47 clearance, reflects the degree of trust placed in the subject not to disclose

sensitive information to users not cleared to see it. The set of categories asso- ciated with both subjects and objects defines the area of competence of users and data. Categories reflect the need-to-know principle according to which a subject should only access the information she actually needs to know to perform her job. A user can then connect to the system using her clearance or any access class dominated by her clearance. For instance, with reference to the lattice in Fig. 4.5, a user cleared
TS,{Financial} can connect to the system as a
TS,{Financial},
S,{Financial},
TS,∅, or
S,∅ subject. A user connecting to the system generates a process with the same access class associated with the corresponding user. The access requests submitted by a subject are then evaluated by applying the following two principles.

No-read-up. A subject s can read an object o if and only if the access class

of the subject dominates the access class of the object.

No-write-down. A subject s can write an object o if and only if the access

class of the object dominates the access class of the subject.

These two principles prevent information flowing from high-level sub- jects/objects to subjects/objects at lower (or incomparable) levels, thereby ensuring the satisfaction of the protection requirements. A subject can write only objects that are more sensitive than the objects she can read. Given the no-write-down principle, it is easy to see why users are allowed to con- nect to the system at different access classes, so that they are able to access information at different levels (provided that they are cleared for it).

Example 1. Suppose that resources Invoice1 and Invoice2 are classified
TS, {Financial, Economic}, resources Order1 and Order2 are classified
S, {Economic}, and the clearance of Ann is
TS, {Financial, Economic}. It is

easy to see, that to modify objects Order1 and Order2, Ann has to connect to the system with, for example, access class
S, {Economic}. By contrast, independently from the access class with which Ann connects to the system, she can read objects Order1 and Order2.

Although the no-read-up and no-write-down principles prevent dangerous flows of information from highly sensitive objects to less sensitive objects, these principles may turn out to be too restrictive. For instance, in a real sit- uation data may need to be downgraded (e.g., this may happen at the end of the embargo). To consider these situations as well, secrecy-based mandatory models should handle exceptions to processes that are trusted and ensure that information is sanitized .

The secrecy-based control principles just illustrated summarize the ba- sic axioms of the security model proposed by David Bell and Leonard La- Padula [9, 10, 11, 12]. The first version of the Bell and LaPadula model is based on two criteria: the simple property, which formalizes the no-read-up principle, and the *-property, which formalizes the no-write-down principle.

48 S. De Capitani di Vimercati, S. Foresti, P. Samarati C,{Financial, Economic} C,{Financial} i i i i i i i i

I,{Financial, Economic} C,{Economic}

TTTTTTTT I,{Financial} i i i i i i i i C,{} j j j j j j j j j j UUUUUUUU_UU I,{Economic} TTTTTTTT I,{} UUUUUUUU_{UU jjjj}jj j j j j

Fig. 4.6.An example of an integrity lattice

The first formulation of the model however presents a problem related to the fact that no restriction is put on transitions. This implies that the Bell and LaPadula notion of security is also satisfied by a system that, when a subject requests any type of access to an object o, downgrades to the lowest possible access class every subject and object, and the access is granted. Intuitively, this problem can be avoided if the security level of an object cannot be changed while it is in use.

This principle is captured by an informal principle, called the tranquility principle. Another property included in the Bell and LaPadula model is the

discretionary property, stating that the set of current accesses is a subset of

the access matrix A. Intuitively, it enforces discretionary controls.

4.3.2 Integrity-Based Mandatory Policy

The mandatory policy described in the previous section only guarantees data confidentiality and does not protect data integrity. To avoid such a problem, Biba introduced an integrity model [13], which controls the flow of informa- tion and prevents subjects from indirectly modifying information they cannot write. Just as for the secrecy-based model, each subject and object is asso- ciated with an integrity class, composed of an integrity level and a set of

categories. The integrity level of an integrity class associated with a user re-

flects the degree of trust placed in the subject to insert and modify sensitive information. The integrity level of an integrity class associated with an object indicates the degree of trust placed on the information stored in the object and the potential damage that could result from unauthorized modifications of the information. Figure 4.6 illustrates an example of an integrity lattice, where there are two integrity levels, namely Crucial (C) and Important (I), and two categories, namely Financial and Economic. Each access request of a subject on an object is evaluated with respect to the following two principles.

No-read-down. A subject s can read an object o if and only if the integrity

class of the object dominates the integrity class of the subject.

No-write-up. A subject s can write an object o if and only if the integrity

4 Authorization and Access Control 49

These two principles are the dual of the two principles defined by Bell and LaPadula. The integrity model prevents flows of information from low-level objects to higher-level objects.

Example 2. Suppose that the integrity class associated with Invoice1 and

Invoice2 is
C, {Financial, Economic}, and the integrity class associated with Order1 and Order2 is
I, {Economic}. If user Ann invokes an application when she is connected to the system with integrity class
C, {Economic}, the corresponding subject will be allowed to read Invoice1 and Invoice2 and to write Order1 and Order2.

Note that the secrecy-based and integrity-based policies are not mutually exclusive. This means that, if the main goal of a system is to protect both the confidentiality and the integrity of its resources, the system can apply these two policies at the same time. However, objects and subjects have to be assigned two access classes, one for secrecy control and one for integrity control.

Example 3. Consider Example 1 and Example 2 and suppose that the system

applies both the secrecy-based policy and the integrity-based policy. In this case, Ann is only allowed to read Invoice1 and Invoice2.

A major limitation of the Biba model is that it only captures integrity compromises due to improper information flows. However, integrity is a much broader concept and additional aspects should be taken into account [1].

4.3.3 Drawbacks of the MAC

Although the mandatory policy protects data better than the discretionary policy, it has some problems. The main problem is that the mandatory policy controls only flows of information in the system that happen through overt channels, that is, channels operating in a legitimate way. Mandatory policy is instead vulnerable with respect to covert channels, which are channels not intended for normal communication, but can still be exploited to infer information. For instance, if a low-level subject requests the use of a resource currently in use by a high-level process, it will receive a negative response. The system, by not allocating the resource because it is busy, can again be exploited to signal information at lower levels (high-level processes can modulate the signal by acquiring or releasing resources). Another important example of covert channels is represented by timing channels [14], used to infer information on the basis of the response time of the system: if the response time is longer than usual, a low-level subject can infer that there is another, more important, process using the same resource. Therefore, wherever there is a shared resource among different subjects or there exists a system property that can be measured, potentially there is also a covert channel [15]. It is important to note that these problems cannot be solved

50 S. De Capitani di Vimercati, S. Foresti, P. Samarati Bob M M M M M Frank Gary Ann t t t t K K K K Carol q q q q q N N N N N David p p p p p Elton

Fig. 4.7.An example of a privilege dependency graph

by giving higher priority to low-level processes as this policy may cause denials of service for high-level subjects. Covert channel analysis is usually carried out in the implementation phase, when it is possible to identify which system resources are shared among processes and which of them are measurable. There are also methods, called interface models [2, 15], that try to identify and eliminate covert channels in the advanced modeling phase. The most important principle on which interface models are based is the

noninterference principle: high-level input should not interfere with low-level

output [16]. Obviously, the correctness of the system is not absolute, but it is relative to the specific model used for individuating covert channels.

Another drawback of MAC is that subjects and objects have to be classified and this may not always be feasible. Moreover, access is evaluated only on the basis of this classification, consequently the system may be too rigid.