security software development
< استفاده از مطالب سایت فراکنش با ذکر منبع مجاز است.>
Security Policy
• What is a security policy?
Defines what it means for a system to be secure
• Formally: Policy partitions system states into:
Authorized (secure) sates: These are states the system can enter
Unauthorized (nonsecure) sates: If the system enters any of these states, it’s a security violation (a breach of security )
• Secure system
Starts in an authorized state
Never enters unauthorized states
Example
• S1 and S2 are authorized states
• S3 and S4 are unauthorized states
• Is this Finite State Machine Secure?
Security Models/ Policy Models
Abstract description of a policy or class of policies
Types of Security Policies
• Military (governmental) security policy
Policy primarily protecting confidentiality
• Commercial security policy
Policy primarily protecting integrity
• Confidentiality policy
Policy protecting only confidentiality
• Integrity policy
Policy protecting only integrity
Confidentiality Property
• X set of entities, I information
• I has confidentiality property with respect to X if no x Î X can obtain information from I
• I can be disclosed to others
• Example:
X set of students
I final exam answer key
I is confidential with respect to X if students cannot obtain final exam answer key
Integrity Property
• X set of entities, I information
• I has integrity property with respect to X if all x Î X trust information in I
• Types of integrity:
trust I, its transportation and protection (data integrity)
I information about origin of something or an identity (origin integrity, authentication)
I resource: means resource functions as it should (assurance)
Availability Property
• X set of entities, I resource
• I has availability property with respect to X if all x Î X can access I
• Types of availability:
traditional: x gets access or not
quality of service: promised a level of access (for example, a specific level of bandwidth) and not meet it, even though some access is achieved
Question
• Policy disallows cheating
Includes copying homework, with or without permission
• CS class has students do homework on computer
• Alice forgets to read-protect her homework file
• Bob copies it
• Who cheated?
Alice, Bob, or both?
References
Matt Bishop, Computer Security: Art and Science, Chapters 4 & 5, 2002-2004.
Chris Clifton, CS 526: Information Security course, Purdue university, 2010.
William Stallings and Lawrie Brown, Computer Security: Principles and Practice, 3/e, Chapter 13, 2011.
Security Models and Architecture, CISSP Exam Preparation, Bernie Eydt, EDS