信息安全管理(4):信息安全系统的技术规范模型
1 信息安全模型
信息安全模型利用数学符号和证明,是一个很好的参考去构建一个信息安全系统系统。
Models of Security
- Formal method is a process for building security into computer based systems while exploiting the power of mathematical notation and proofs
- To understand the relation between Security and Trust
1.1 两个角度
所有信息系统的功能和设计实施,其实都需要从两个角度来看,一个是用户的角度,一个是实施的角度。这样分开来有助于将来我们与用户和项目成员的交流沟通。
Two views of functions, of systems design
1.1.1 The user view
从用户的角度看,用户在意的是他的需求分析,看到他希望这个系统应该具备的功能。用户只能从综合上看待系统的可用性,所以,不需要告诉他实施的细节,只需要告诉用户你所实现的功能。
– Elicited during requirement analysis for a system, records what a system should do
– An aggregate of views
– independent of the details on the implementation
– Specification of the system
1.1.2 The implementation view
从实施的角度来看,系统是一个复杂庞大的综合性产品,需要极其细致的规划设计,实施的监控。一个好的设计和规范可以影响到每一个人。
– Built during system design and records as to how the system is to be constructed
– A design
– The design and specification should reflect each other
1.2 安全(security)和信任(trust)
和他人交流的时候,用信任(trust)程度,而不是安全(security),在安全模型中,我们也用信任程度而不是安全与否来讨论,(这主要指的是英文语义中security和trust的差别)。安全(security)是一个很绝对的概念,我们对安全的描述,只有安全和不安全。但世界上又没有绝对的安全,那么我们怎么来阐述我们系统的安全程度。所以,我们要引入信任(Trust)这个概念,信任是有等级之分的。所以在于他人交流的过程中,我们用信任(trust)的等级而不是安全(security)与别人交流,这样才能够在交流中达到比较一致的认知水平。
The relation between Security and Trust
Typically Security is binary (a Yes or No answer)
To Trust a systems other attributes may be necessary. such as:
- Functional correctness
- Enforcement of integrity
- Limited privileges
- Level of confidence
这里我们对比安全(security)和信任(trust)的相似之处和区别。
Attributes of security and trust
1.3 安全模型的作用
安全模型的作用主要用于测试(test)和编写文档(document),同时安全模型作为一个标准样例,可以节省设计者的很多时间,且可以比较容易地检查系统设计和实施的阶段与用户需求的差距。
Security models are used to
- Test a policy for completeness and consistency
- Document a policy
- Conceptualise and design an implementation
- Check if an implementation meets its requirements
1.4 Lattice Model
Lattice Model是一个数学模型,如图所示,是我们后面讨论的其他模型的核心样式,他主要有两个特点,一个是可传递性(transitive),一个是反对称性(Antisymmetric)。理解Lattice模型可以帮助我们比较好地了解我们信息安全的总体设计,信任(Trust)结构和各个实体的信任等级。
A generalised model based on mathematical structure called lattice
- Transitive
If a>b and b>c then a c
- Antisymmetric
If a>b and b< a then a=b
2 Trusted Computer System Evaluation Criteria (TCSEC)
TCSEC是从用户的角度来理解计算机系统的可信程度,是在信息系统安全中很重要的一个判别标准(criteria),在系统设计好之后,应该要由用户根据这些标准来判断系统设计的可信度,来判断是否满足了用户的要求。在本文中,我主要列一下TCSEC的概念,在未来的文章中,我会详细地介绍一下TCSEC的具体标准和实现方式。
- Originally developed by the US Department of Defense
- Introduced in 1983 and still in use today
- Concerned with safeguarding the classified data while procuring systems from vendors. Provide generally accepted principles for vendors
- Trust and confidentiality, integrity, and availability of data
- The user view of the model
- Define levels of trusted systems:A1, B1, B2, B3, C1, C2, D
3 Bell La Padula Model
Bell La Padula Model是军用的信息安全模型,主要先将通过控制人员(entity)对对象(objects)的通行(access)来保护信息的机密性(Confidence)。它主要有两个原则,一个是no read up,即无法阅读比你等级高的信息,一个和是no write down,即等级高的信息不能将其等级降低。这一切主要的目的,是为了保证信息的机密性。
- Deals with controlling access to objects
- Used to define security requirements while handling data at different sensitivity levels
Two basic Axioms
- No Read UP:A subject can not read information for which it is not cleared
- No Write Down:A subject can not move information from an object with a higher security classification to an object with a lower classification
下面是Bell La Padula Model的主要组成部分:
3.1 Current access set
现有的通行配置。access attribute通行(操作)有四种方式,execute,read,append,write。subject代表用户,object代表信息,用户对应信息有相对应的操作权限。
- Execute: neither observe nor alter
- Read: observe, but do not alter
- Append: alter but do not observe
- Write: observe and alter
- Represented as Subject, Object and access attribute
3.2 Hierarchy
整个信息结构类似于树状的层级结构,parent node拥有children nodes的所有信息和权限。
- Tree structure of objects
- All nodes of the structure can only have one parent node
- A node can have several children nodes
- Isolated objects are possible
3.3 Access permission matrix
这个matrix表示用户(subjects)和信息(objects)之间的权限关系。
- Allows for discretionary access control
- Places objects vs. subjects in a matrix
3.4 Level function
– Classifies the privileges of objects and subjects in a strict hierarchical form with the labels
3.5 其他组成部分
我们因此可以将信息分成top secret,secret,confidential和unclassified。
- Top secret, secret, confidential, and unclassified
- (C1, A) dominates (C2, B) if and only if C1 is greater than or equal to C2, and A includes B as a subset
3.6 Example:Access attribute matrix
A typical access attribute matrix
- There exists a strict hierarchical and bureaucratic structure, with well-defined responsibilities
- People in the organisation will be granted clearance based on their need to know basis
- There is a high level of trust in the organisation and people will adhere to all ethical rules and principles
4 Denning Information Flow Model
Denning Information Flow Model关注的是对信息流(information flows)的安全的控制,结构同上一个模型,Bell La Padula模型一样。
- Focuses on the security of information flows
- Defined as:
- Set of Objects (eg.: files, information containers)
- Active Agents (processes responsible for information flow)
- Security Classes (allocated to each object and agent)
- Determination Operator (ascertains resultant Class after information merges between objects)
- Flow Operator (determines if information can flow form one class to another)
- ‘flow operator’ is the critical part of the model
- It determines if information will be allowed to flow from, say, a top secret file to an existing secret file
- The flow operation is reflexive, transitive, and antisymmetric
- There exists lower and upper bounds operations
- Higher class can receive information
- Lower class can send information
- Information cannot flow between objects with incompatible security classes
The Reference Monitor
- To enforce the access control policy
- Design requirements
- must be tamper proof
- must always be invoked
- Must be small enough
- Must be open to testing and formal verification
5 Biba Model
其实和Bell La Padula模型差不多,只是更多地关注于信息的完整性。
- The Bell La Padula equivalent for integrity
- Two security properties
- If a subject can modify an object, then the integrity level of the subject must be higher than the integrity level of the object
- If a subject has read access to a particular object, then the subject can have write access to a second object only if the integrity level of the first object is greater than or equal to the integrity of second object
Biba v/s Bell La Padula Model
Biba和Bell La Padula模型的最大的区别是,Biba是为了防止不信任的信息流入高等级的类别,从而保证信息的完整性。而Bell La Padula关注的是防止高等级的类别的信息被低等级类别的人员获取,从而保证信息的机密性。因此,Biba模型更加适用于商业环境,而Bell La Padula模型更加适用于军用环境。
- Prevent the flow of non-trusted information into a file with a higher integrity classification (Biba)
- Prevent the leaking of higher confidential information to a lower classified file (Bell La Padula)
- Both are difficult to implement
6 Clark-Wilson Model
应用于金融系统的以信息完整性为最高目标的系统。
假设:Assumption:Bookkeeping in financial institutions is the most important integrity check
6.1 基本原则:
- Separating responsibilities as much as possible
- Implements separation and integrity check into an information system
6.2 基本组成部分:
• The Constrained Data Item (CDI)
– Related to balancing entries in account books
• The Transformation Procedure (TP)
– The set of legitimate processes that may be performed on the specified sets of CDIs
6.3 要求:
• The system must separately identify and authenticate every user
• The system must ensure that specified data items can be manipulated only by a restricted set of programs, and the data center controls must ensure that these programs meet the well formed transaction rule, which have already been identified as Transformation Procedures
• The system must associate with each user a valid set of programs to be run, and the data center must ensure that these sets meet the separation of duty rule
• The system must maintain an auditing log that records every program executed, and the name of the authorising user
7 后记
每个模型有他的优缺点,我们要根据我们的具体情况来采取不同的基础模型。
- Each model has its merits
- An abstraction of reality is after all only an abstraction. The context of the abstraction is the environment
7.1 军用系统
军用系统有其较为独特的结构,一个是有完整的信任体系,一个是有清晰的角色和责任,因此在军用系统中,信息的完整性反而不是重点考虑的问题,重点考虑的问题是信息的机密性。
Military is unique
– Culture of trust
– Clear roles and responsibilities
– Integrity typically is not much of a concern
7.2 非军用系统
非军用系统就不太一样,主要是不存在非常可靠的信任文化,所以信息流的流动十分自由,所以非军用系统一般将信息的完整性看作最重要的考虑因素。当然,作为一个优秀的组织,我们应该运用信息安全模型,而不是被模型驱动。所以我们应该全面地分析我们的组织环境,且构建合理的政策,培养安全意识。
- Non-military organisation is different
- Integrity is key
- Trust should not be assumed
- Information flows freely
- Organisation should drive the model rather than model driving the organisation
- A thorough analysis of the environment is necessary
- The culture and the operations need to be understood before the policy is made
- Awareness need to be promulgated
- The requirement of integrity must be clearly understood
参考文献
- Principles of Information Security Systems – Texts and Cases – Gurpreet Dhillon - Chapter 2 : Security of Technical Systems in Organisations
- Principles of Information Security Systems – Texts and Cases – Gurpreet Dhillon - Chapter 3 : Models for Technical Specification of Information System Security
- Security in Computing – Charles & Shari Pfleeger - Chapter 5 : Designing Trusted Operating Systems