Data processing: database and file management or data structures – Database design – Data structure types
Reexamination Certificate
1999-10-29
2002-08-06
Kindred, Alford W. (Department: 2172)
Data processing: database and file management or data structures
Database design
Data structure types
C707S793000, C713S152000, C713S152000
Reexamination Certificate
active
06430561
ABSTRACT:
FIELD OF THE INVENTION
The subject invention relates to a security policy for controlling access to data, and specifically to the control of access to files on a storage device such as smart cards.
BACKGROUND OF THE INVENTION
A formal model of security is essential when reasoning about the security of a system. Security models can be broken down into three major categories: (1) models that protect against unauthorized disclosure of information, (2) models that protect against unauthorized tampering or sabotage, and (3) models that protect against denial of service. Protection against disclosure of information has been understood the longest and has the simplest models. Protection against tampering or sabotage has been less well understood and appropriate models are only now under development. Protection against denial of service is not well understood today.
A first requirement of many security systems is preventing unauthorized disclosure of information. Classes of mechanisms include discretionary access controls and mandatory access controls. Discretionary access controls are the commonly available security controls based on the fully general Lampson access matrix . (Lampson, B. W., Protection. Operating Systems Review, January 1974. 8(1): p. 18-24. originally published in Proceedings of the Fifth Princeton Conference on Information Sciences and Systems, March 1971.) They are called discretionary, because the access rights to an object may be determined at the discretion of the owner or controller of the object. Both access control list and capability systems are examples of discretionary access controls. The presence of Trojan horses in the system can cause great difficulties with discretionary controls. The Trojan horse could surreptitiously change the access rights on an object or could make a copy of protected information and give threat copy to some unauthorized user. All forms of discretionary controls are vulnerable to this type of Trojan horse attack. A Trojan horse in a capability system could make a copy of a capability for a protected object and then store that capability in some other object to which a penetrator would have read access. In both cases, the information is disclosed to an unauthorized recipient.
Lampson (Lampson, B. W., A note on the confinement problem. Communications of the ACM, October 1973. 16(10): p. 613-615.) has defined the confinement problem as determining whether there exists a series of operations in a security system that will ultimately leak some information to some unauthorized individual. Harrison, Ruzzo, and Ullman (Harrison, M. A., W. L. Ruzzo, and J. D. Ullman, Protection in Operating Systems. Communications of the ACM, August 1976. 19(8): p. 461-471.) have shown that there is no solution to the confinement problem for fully general, discretionary access controls, such as either a general access control list or capability system. Their argument is based on modeling the state transitions of the access matrix as the state transitions of a Turing machine. They show that solving the confinement problem is equivalent to solving the Turing machine halting problem.
The paths over which a Trojan horse leaks information are called covert channels. Covert channels can be divided into two major categories: storage channels and timing channels. Information can be leaked through a storage channel by changing the values of any of the state variables of the system. Thus, contents of files, names of files, and amount of disk space used are all examples of potential storage channels. A Trojan horse can leak information through a storage channel in a purely asynchronous fashion. There are no timing dependencies.
By contrast, information can be leaked through a timing channel by modifying the length of time that system functions take to complete. For example, a Trojan horse could encode information into deliberate modifications of the system page fault rate. Timing channels all use synchronous communication and require some form of external clocking.
Mandatory access controls have been developed to deal with the Trojan horse problems of discretionary access controls. The distinguishing feature of mandatory access controls is that the system manager or security officer may constrain the owner of an object in determining who may have access rights to that object. All mandatory controls, to date, have been based on lattice security models.
Various models describing security properties of computing systems and users exist in the art. Because access is at the heart of the security requirements of computing systems, access control is the basis of many of these models. Of particular interest are lattice security models. A lattice security model consists of a set of access classes that form a partial ordering. Access classes that are not ordered are called disjoint. Any two access classes may be less than, greater than, equal to, or not ordered with respect to one another. Furthermore, there exists a lowest access class, called system low, such that system low is less than or equal to all other access classes. There also exists a highest access class, called system high, such that all other access classes are less than or equal to system high.
A very simple lattice might consist of two access classes: LOW and HIGH. LOW is less than HIGH. LOW is system low, and HIGH is system high. A slightly more complex example might be a list of secrecy levels, such as UNCLASSIFIED, CONFIDENTIAL, SECRET, and TOP SECRET. In this case, UNCLASSIFIED is system low, and TOP SECRET is system high. Each level in the list represents data of increasing secrecy.
There is no requirement for strict hierarchical relationships between access classes. The U.S. military services use a set of access classes that have two parts: a secrecy level and a set of categories. Categories represent compartments of information for which an individual must be specially cleared. To gain access to information in a category, an individual must be cleared, not only for the secrecy level of the information, but also for the specific category. For example, if there were a category NUCLEAR, and some information classified SECRET-NUCLEAR, then an individual with a TOP SECRET clearance would not be allowed to see that information, unless the individual were specifically authorized for the NUCLEAR category.
Information can belong to more than one category, and category comparison is done using subsets. Thus, in the military lattice model, for access class A to be less than or equal to access class B, the secrecy level of A must be less than or equal to the secrecy level of B, and the category set of A must be an improper subset of the category set of B. Since two category sets may be disjoint, the complete set of access classes has only a partial ordering. There is a lowest access class, {UNCLASSIFIED-no categories}, and a highest access class, {TOP SECRET-all categories}. The access classes made up of levels and category sets form a lattice.
Lattice models were first developed at the MITRE Corporation by Bell and LaPadula (Bell, D. E. and L. J. LaPadula, Secure Computer Systems: A Mathematical Model, ESD-TR-73-278, Vol. II, November 1973, The MITRE Corporation, Bedford, Mass.: HQ Electronic Systems Division, Hanscom AFB, Mass.) and at Case Western Reserve University by Walter (Walter, K. G., W. F. Ogden, W. C. Rounds, F. T. Bradshaw, S. R. Ames, and D. G. Shumway, Primitive Models for Computer Security, ESD-TR-74-117, Jan. 23, 1974, Case Western Reserve University, Cleveland, Ohio: HQ Electronic Systems Division, Hanscom AFB, Mass.) to formalize the military security model and to develop techniques for dealing with Trojan horses that attempt to leak information. At the time, dealing with Trojan horses was difficult, yet it was found that two quite simple properties could prevent a Trojan horse from compromising sensitive information.
First, the simple security property says that if a subject wishes to gain read access to an object, the access class of the object must be less than or equal
Austel Vernon Ralph
Karger Paul Ashley
Toll David Claude
International Business Machines - Corporation
Kindred Alford W.
Ratner & Prestia
LandOfFree
Security policy for protection of files on a storage device does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Security policy for protection of files on a storage device, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Security policy for protection of files on a storage device will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2881014