Abstract
Lattice-based access control models (LBAC) initiated by Bell-LaPadula (BLP)/Biba models, and consolidated by Denning have played a vital role in building secure systems via Information Flow Control (IFC). IFC systems typically label data and track labels, while allowing users to exercise appropriate access privileges. This is defined through a finite set of security classes over a lattice. Recently, IFC has also been playing a crucial role in formally establishing the security of operating systems/programs. Towards such a goal, researchers often use assertions to keep track of the flow of information from one subject/object to another object/subject. Specifying and realizing these assertions will be greatly benefitted, if the underlying labels of objects/subjects can be interpreted in terms of access permissions/rights of subjects/objects as well as subjects/objects that have influenced them; these would lead to automatic generation of proof obligations/assertions. Thus, if one can arrive at a label model for LBAC that satisfies properties like (i) intuitive and expressive labels, (ii) completeness w.r.t. Denning’s lattice model, and (iii) efficient computations on labels, then building/certifying secure systems using LBAC will be greatly benefitted.
In this paper, we arrive at such a semantic generative model (that tracks readers/writers of objects/subjects) for the Denning’s lattice model, and establish a strong correspondence between syntactic label policies and semantically labelled policies. Such a correspondence leads to the derivation of the recently proposed Readers-Writers Flow Model (RWFM). It may be noted that RWFM [11] also deals with declassification rules which is not discussed here as it is not relevant here. The relationship, further establishes that the RWFM label model provides an application-independent concrete generative label model that is sound and complete wrt Denning’s Model. We define the semantics of information flow in this label model, and argue that reading and writing induce possibly different pre-orders on the set of subjects. Hence, the subject relations become explicit, making it possible to derive relations from the labels. We further define a notion of information dominance on subjects and show that the notion of principal hierarchy can be naturally defined that is consistent with the IFC model; this perhaps overcomes the adverse impact on the flow policy that is often experienced during the classical approach of defining the hierarchy orthogonally. This enables us to realize Role-Based Access Control (RBAC) structurally and enforce information flow security. Further, we demonstrate how the underlying label model succinctly subsumes various lattice-based control models like BLP, Biba, RBAC, Chinese wall model, etc.
N.V. Narendra Kumar — Currently at IDRBT, Hyderabad 500057, India.
This is a preview of subscription content, log in via an institution to check access.
References
Bell, D., La Padula, L.: Secure computer systems: Unified exposition and multics interpretation. In: Technical Report ESD-TR-75-306, MTR-2997, MITRE, Bedford, Mass (1975)
Blaze, M., Feigenbaum, J., Lacy, J.: Decentralized trust management. In: IEEE SP 1996, pp. 164–173. IEEE Computer Society (1996)
Brewer, D., Nash, M.: The Chinese wall security policy. In: 1989 Proceedings of the IEEE Symposium on Security and Privacy, pp. 206–214, May 1989
Crampton, J.: On permissions, inheritance and role hierarchies. In: Proceedings of the 10th ACM Conference on Computer and Communications Security, CCS, pp. 85–92 (2003)
Denning, D.: A lattice model of secure informatiom flow. Commun. ACM 19(5), 236–243 (1976)
Ellison, C., Frantz, B., Lampson, B., Rivest, R., Thomas, B., Ylonen, T.: RFC 2693: SPKI certificate theory. IETF RFC Publication, September 1999
Ferraiolo, D., Kuhn, R.: Role-based access controls. In: 15th NIST-NCSC National Computer Security Conference, pp. 554–563 (1992)
Harrison, M.A., Ruzzo, W.L., Ullman, J.D.: Protection in operating systems. Commun. ACM 19(8), 461–471 (1976)
Biba, K.: Integrity considerations for secure computer systems. In: Technical Report ESD-TR-76-372, MITRE, Bedford, Mass (1976)
Krishnan, P., Krishna, P.R., Parida, L. (eds.): Distributed Computing and Internet Technology. Lecture Notes in Computer Science, vol. 10109. Springer, Heidelberg (2017). doi:10.1007/978-3-319-50472-8
Kumar, N.V.N., Shyamasundar, R.K.: Realizing purpose-based privacy policies succinctly via information-flow labels. In: 2014 IEEE Fourth International Conference on Big Data and Cloud Computing, BDCloud 2014, Sydney, Australia, 3–5 December 2014, pp. 753–760. IEEE Computer Society (2014). https://doi.org/10.1109/BDCloud.2014.89
Kumar, N.V.N., Shyamasundar, R.K.: Analyzing protocol security through information-flow control. In: Krishnan et al. [10], pp. 159–171. https://doi.org/10.1007/978-3-319-50472-8_13
Kumar, N.V.N., Shyamasundar, R.K.: Dynamic labelling to enforce conformance of cross domain security/privacy policies. In: Krishnan et al. [10], pp. 183–195. https://doi.org/10.1007/978-3-319-50472-8_15
Kumar, N.V.N., Shyamasundar, R.: Decentralized information flow securing method and system for multilevel security and privacy domains, 29 November 2016. https://www.google.co.in/patents/US9507929, US Patent 9,507,929
Nyanchama, M., Osborn, S.L.: The role graph model and conflict of interest. ACM Trans. Inf. Syst. Secur. 2(1), 3–33 (1999)
Osborn, S., Sandhu, R., Munawer, Q.: Configuring role-based access control to enforce mandatory and discretionary access control policies. ACM Trans. Inf. Syst. Secur. 3(2), 85–106 (2000). http://doi.acm.org/10.1145/354876.354878
Sandhu, R.S.: Lattice-based enforcement of Chinese walls. Comput. Secur. 11(8), 753–763 (1992)
Sandhu, R.S.: Lattice-based access control models. Computer 26(11), 9–19 (1993)
Sandhu, R.S.: Role hierarchies and constraints for lattice-based access controls. In: Bertino, E., Kurth, H., Martella, G., Montolivo, E. (eds.) ESORICS 1996. LNCS, vol. 1146, pp. 65–79. Springer, Heidelberg (1996). doi:10.1007/3-540-61770-1_28
Tuval, N., Gudes, E.: Resolving information flow conflicts in RBAC systems. In: Damiani, E., Liu, P. (eds.) DBSec 2006. LNCS, vol. 4127, pp. 148–162. Springer, Heidelberg (2006). doi:10.1007/11805588_11
Acknowledgement
The work was done as part of Information Security Research and Development Centre (ISRDC) at IIT Bombay, funded by MEITY, Government of India.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Kumar, N.V.N., Shyamasundar, R.K. (2017). A Complete Generative Label Model for Lattice-Based Access Control Models. In: Cimatti, A., Sirjani, M. (eds) Software Engineering and Formal Methods. SEFM 2017. Lecture Notes in Computer Science(), vol 10469. Springer, Cham. https://doi.org/10.1007/978-3-319-66197-1_3
Download citation
DOI: https://doi.org/10.1007/978-3-319-66197-1_3
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-66196-4
Online ISBN: 978-3-319-66197-1
eBook Packages: Computer ScienceComputer Science (R0)