Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Security Policy Models The Bell- LaPadula Model Elisabeth C. Sullivan CSE527.

Published byBonnie Mason Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Security Policy Models The Bell- LaPadula Model Elisabeth C. Sullivan CSE527."— Presentation transcript:

1 1 Security Policy Models The Bell- LaPadula Model Elisabeth C. Sullivan CSE527

2 2 Confidentiality Policies l Recall Confidentiality is the protection of information from unauthorized disclosure. l Confidentiality policies are concerned about the illicit transmission of information. l Most frequently used in Military or Government systems. »Often based on clearances and classification l They are also called information flow policies. l We will focus on the Bell and La Padula model in this category

3 3 Bell LaPadula (BLP) Historical Perspective l A state machine model written in the 1970’s, at MITRE, Bedford MA »Under contract with the Air Force. »For the Multics operating system. l Has been the most influential model of security over the past ~30 years. »The policy in the BLP model and some of the elements of the model are embedded within the TCSEC. It purports to implement the Department of Defense (DoD) security policy. l Has been much debated over the years.

4 4 What is the TCSEC? l The Trusted Computer System Evaluation Criteria »AKA “The Orange Book” l Written by the DoD to describe the security and assurance requirements necessary for government and military systems »Defined several “rating classes”, which were inclusive and increasing C2, B1, B2, B3, A1 »Operating system centric l Used for 17 years as the de facto standard for trusted systems l Retired in 1999 in favor of a new criteria and methodology called the Common Criteria.

5 5 BLP: Anatomy of a Model l Elements »Fundamental definitions l Components »Four entities that describe a state l Properties »Four properties that the model describes l Rules »State transition operators l Theorems and proofs »Justifications and rationale

6 6 BLP Elements l Subjects l Objects l Access Attributes l Security Levels

7 7 BLP Elements: Subjects and Objects l Subjects: active entities (users, processes,…) l Objects: passive entities (data, files, directories,…) l Modeling pf subjects and objects »BLP may model a system where no subjects are objects »BLP may model a system where all subjects are objects »BLP may model a system where only some subjects are objects.

8 8 Remember these by what they do, and not the names assigned to them in the BLP literature or the text! BLP Elements: Access Attributes l Observation with no alteration »read l Both alteration and observation »edit »read and write l Alteration with no observation »readless write, append l Neither observation nor modification »execute »search

9 9 BLP Elements Security Levels l Security levels reflect information attached to subjects and objects that are used to make mandatory access control decisions. »In BLP, levels reflect issues of government clearances and classification l The security level of a subject reflects the authorizations that subject has to information »In the case of BLP, the subjects maximum level is the subject’s security clearance »The subject’s current level is lower than or equal to its max level.

10 10 BLP Elements Security Levels l The security level of an object reflects the protection requirements to that object »In the case of BLP, it is the object’s classification »An object has only one security level

11 11 BLP Elements Security Levels l The security levels for the subjects and objects of a system form a single set l A security level has two parts: »A classification/clearance »A set of categories l The set has two operations defined on it »Equals, an equivalence relation »Dominates, a partial ordering

12 12 Classifications and Clearances l A clearance is granted to a user based on a requirement to work with classified data and a background investigation l A classification is assigned to information based on how sensitive the information is in terms of who can read it. l The classification/clearance designations (that we get to know about ;-) ) are »Top Secret T, Secret S, Confidential C, and Unclassified U »A fully ordered set where T > S > C > U

13 13 Categories and Category Sets l A category is an additional sensitivity assignment based on need-to-know. »Separate from the classification/clearance »Further restricts access l A category set is a subset of the set of all categories defined for the system l They are partially ordered by “contains” , the subsetting relation. »If the system supports 3 categories, A, B, C, »Then there are 8 possible category sets: {}, {A}, {B}, {C}, {A,B}, {A,C}, {B,C}, {A,B,C} »{A,B,C}  {A,B}, {B,C}  {B} and so forth.

14 14 Security Level Samples l What are the possible security levels from the previous slide »C ={T, S, C, U}, the set of possible clearances/classifications »K = [ {}, {A}, {B}. {C}, {A,B}, {A,C}, {B,C}, {A,B,C} ] the power set of K, which defines all the categories in the system l List all the possible security levels »(T,{}) (T,{A}) (T,{B}) (T,{A,B}) (T,{A,C}) (T,{A,B}) (T,{A,B,C}) »(S,{}) (S,{A}) (S,{B}) (S,{A,B}) (S,{A,C}) (S,{A,B}) (S,{A,B,C}) »(C,{}) (C,{A}) (C,{B}) (C,{A,B}) (C,{A,C}) (C,{A,B}) (C,{A,B,C}) »(U,{}) –Notice that categories do not apply to unclassified information.

15 15 Security Level Samples l Suppose Mary’s security level is [S, {A, B}]. »Then Mary can access the following information: –Any information classified S or lower and has no categories –Any information classified S or lower and pertains to category A –Any information classified S or lower and pertains to the category B »Mary CANNOT read information that is –Classified higher than S –Classified S or lower and has a category other than A or B associated with it. l Suppose a file’s security level is {S, {A, B}] »It can be accessed only by subjects having a clearance of S or better, and who have been read into BOTH category A and category B.

16 16 What is an Equivalence Relation? l An equivalence relation R on a set S such that For all elements x, y, z that are members of the set S (R is a partial ordering on S:  x, y, z  S) the following three things are true: »R is reflexive: xRx »R is symmetric: if xRy then yRx »R is transitive: If xRy and yRz then xRz l Example: = is a partial ordering. »For any number r, r = r. »If x = y, then y = x »If x = y, y = z, then x = z

17 17 What is a Partial Ordering? l A partial ordering relation R on a set S such that For all elements x, y, z that are members of the set S (R is a partial ordering on S:  x, y, z  S) the following three things are true: »R is reflexive: xRx »R is antisymmetric: if xRy and yRx, then x=y »R is transitive: If xRy and yRz then xRz l Example:  is a partial ordering. »For any number r, r  r. »If x  y, and y  y, then x=y »If x  y, y  z, then x  z

18 18 Security Level Specifics l The set of security levels is partially ordered by the relation dominates. »Let SL1 = (class1, category-set 1) and SL2 = (class2, category-set 2) then »SL1 dominates SL2 iff Class1  Class2 and »Category-set 1  category-set 2. l Notice that some security levels cannot be compared using dominates. »(S, {A}) does not dominate (S, {B}) »(S, {B}) does not dominate (S, {A})

19 19 Security Levels Form a Lattice l A lattice mathematical structure consisting of »A finite set of discrete elements S »A partial ordering relation R on S:  x, y, z  S –R is reflexive: xRx –R is antisymmetric: if xRy and yRx, then x=y –R is transitive: If xRy and yRz then xRz »A function join on S:  x, y  S, join(x,y) = unique least upper bound (LUB) of x and y »A function meet on S:  x, y  S, meet(x,y) = unique greatest lower bound (GLB) of x and y

20 20 BLP Security Level Lattice l S is the set of all security levels »Suppose the classifications are T, S, U »Suppose the categories are NATO and SIOP. Then the possible category sets are –{}, {NATO}, {SIOP}, {NATO, SIOP} »Then S = [ (T, {}), (T,{NATO}), (T,{SIOP}), (T,{NATO,SIOP}), (S, {}), (S,{NATO}), (S,{SIOP}), (S,{NATO,SIOP}), (U, {}) ]. l R is dominates, as described for BLP »Convince yourself that dominates is reflexive, antisymmetric and transitive.

21 21 BLP Security Level Lattice l join(x,y) is the unique least element j for which j dominates x and j dominates y. »join ((T,{NATO}),(S,{NATO,SIOP}) is ((T,{NATO,SIOP}) »join ((S,{NATO}),(C,{SIOP})) is what element? l meet(x,y) is the unique greatest element m for which x dominates m and y dominates m. »meet ((T,{NATO}),(S,{NATO,SIOP}) is (S,{NATO}) »meet ((S,{NATO}),(C,{SIOP})) is what element?

22 22 E: BLP Example Hasse Diagram U,{ } S,{SIOP} S,{NATO} T,{ } l Start with T,{NATO,SIOP}, the greatest SL. Call it MaxSL. T,{NATO,SIOP} T,{SIOP}T,{NATO} S,{NATO,SIOP} l The next level is the set of all security levels x st maxlev dom x and there is no security level z st maxlev dom z dom x. l Connect the SLs from above to MaxSL with downward arrows, indicating the dominance relation. l For each of these 3 SLs, repeat the process above. In this step, each of the 3 SL points to two new SLs. l One more iteration from the 1 SL to the lowest SL completes the lattice and the arrows complete the Hasse diagram. l For each of these new SLs, repeat the process above. This time, each of the 3 SL points to one new SL. Use the slide viewer on this slide! S, { }

23 23 BLP Components l The system state is defined in terms of the following four values, called components »Current access set »Object hierarchy »Access permission matrix »Level function

24 24 BLP Components Access State l Current access set »Defines the access state as a set of triples (subject, object, access-attribute). » “subject” has current “attribute” access to “object”. l Note this is *not* an access control matrix. »It does not identify all possible accesses »It identifies one possible state, which happens to be the one the system is in right now.

25 25 BLP Components Object Hierarchy root 1root2 l Object hierarchy »A parent-child relation structure on objects. » Consists of rooted trees and isolated points.

26 26 BLP Components Object Hierarchy l Compatibility property: »The security level of the parent dominates the security level of the child

27 27 Access Permission Matrix l One column for each object (including subjects that are objects, if any). l one row for each subject. l Cells contain sets of access attributes l The cell of ith row and the jth column contains the access attributes of the ith subject in the matrix (S i) ) to the jth object in the matrix, (O j ). Access Permission Matrix subjects objects OjOj SiSi r O j+1

28 28 Level Function l “f” determines security levels for subjects and objects. »It can be used to identify the maximum level a subject can hold »It can be used to identify the current level at which the subject is operating. »It can be used to identify the level of an object.

29 29 Definition of a System l Inputs are called requests and outputs are called decisions. l The system is all sequences (request, decision, state) with some initial state. l What does it mean for the system to be secure?

30 30 BLP Simple Security Property (SS) l If a subject, object, access attribute triple is in the current access set, and the access attribute allows observation, then the current level of the subject dominates the level of the object. l Informally, “no readup” l This is the first “half” of the MAC properties

31 31 BLP ‘*’ Property l If a subject, object, access attribute triple is in the current access set, then »The level of the object dominates current-level of the subject if the attribute is alteration with no observation. »The level of the object equals current-level of the subject if the access attribute is observe and alter. »the current level of the subject dominates the level of the object if the access attribute is observe only. l Informally “no write down” l The “second half” of the MAC properties

32 32 BLP Discretionary Security Property l A state satisfies the “ds” property if for each member of the current access set, the specified access mode is included in the access matrix entry for the corresponding subject-object pair. »Allows an individual to extend access to an object to anyone that is allowed to observe the document under the SS and ‘*’ properties. »Can only reduce the set of reachable states.

33 33 ds Property l Note that the Access Permission Matrix describes the discretionary access permissions, as already refined by the MAC constraints »essentially, MAC is “checked first” »Nothing gets into the access permission matrix unless it meets both SS and ‘*’. l The Access Permission Matrix ties identity to permissions.

34 34 BLP Result 1 The Inductive Nature of Security l A state is secure if and only if it satisfies the “SS” property, the “*” property and the “ds” property. l The Basic Security Theorem: If the initial state is secure and every state transition results in a secure state then the system will always be in a secure state. »Illustrates the inductive nature of security. »There are three supporting theorems, one relating to each of the three properties.

35 35 BLP Model Result Two Rules l Rules are what describes how the system moves from one state to another. »System inputs are called requests. »System outputs are called decisions. »A rule takes a request and the current state and produces a decision and the next state. (request, current-state) (decision, next-state) l Rules are specific to system being modeled. »General model has 8 rules. »Multix model has 11 rules.

36 36 BLP Result 3 Rule Properties/System Properties l The system specified by a set of rules satisfies SS, ‘*’, and ds if each rule itself introduces no exception to these properties.

37 37 BLP Model Rules l Altering current access »get access (add a triple to the current access set) »release access (remove a triple from the current access set) l Alter level functions »change object level »change subject current-level l Alter access permission »give access (add an attribute to a cell of the access permission matrix)) »rescind access (remove attribute from cell of access permission matrix)) l Alter hierarchy »create object »delete a group of objects

38 38 Sample Rule: get_access l Inputs: subject, object, access attribute to be added l preconditions: »the ss property must hold for the proposed triple. – If the access is one of the two observe modes, the security level of the subject must dominate the security level of the object. »The ‘*’ property must hold for the proposed triple. –The object level dominates subject level if the attribute is alteration with no observation. –The object level equals subject level if the access attribute is observe and alter. –the subject dominates the level of the object if the access attribute is observe only. l Effects: the triple is added to the current access set

39 39 BLP Enhancement Properties l Tranquillity properties »Added after the first McLean/Bell disagreement. »Addresses the issue of security levels changing –Strong tranquility: Security levels of subjects and objects do not change, period. –Weak tranquillity: security levels of subjects and objects never change in such a way that violates the security policy.

40 40 The Multics Interpretation of BLP l Subjects are (process,ring) pairs l Objects are the usual l Access attributes for data segments are the same as in the model, but execute as defined as read or execute l Access attributes for directory segments: »execute is interpreted as search »read is interpreted as status »read/write is status and modify status.

41 41 The Multics Interpretation of BLP l Current access set represented by segment descriptor words l Access Permission Matrix is a big ACL l Level information is in directory segments and tables l Branches are the object hierarchy.

42 42 BLP Rules For Multics l Altering current access »get-read »get-write-only »get-execute »get-read-write »release-read/execute/write l Alter access permission »give-read/write/execute »rescind-read/write/execute l Alter hierarchy »create-object »delete-object-group Map to model rule get access

43 43 BLP Rules For Multics l Alter level functions »change-subject-security-level »change-object-security-level l Note these rules are given in the Multics model but are not implemented in the Multics kernel. »Means that Multics enforces Strong tranquillity…...

44 44 BLP Extras for Multics l Trusted subjects: »Not constrained by the ‘*’ property »Defined by Bell and LaPadula “as a subject that is guaranteed not to consummate a security-breaching information transfer even if it is possible.” –May have physical capability to violate policy but do not. –Correct functioning is critical to system behavior. l Communications paths: covert timing channels, covert storage channels l Sabotage and Integrity: Bell and LaPadula distinguished between them as “undesired” and “approved” erroneous modifications. The terminology didn’t last.

45 45 Comment and Contributions l BLP was really the first major modeling work that was available to the computer security community. l It has provided food for thought to hundreds, probably thousands of researchers, and is still the standard against which all security policy modeling work gets compared. l BLP still represents the military model of security. l BLP still stands up to scrutiny, when assessed for what it was written for.

46 46 Summary of BLP Model l Who developed it, where, when, for what reason? »D. Eliot Bell and Len LaPadula, at MITRE under contract with the USAF, for the Multics operating system. l Is it formal or informal? If formal, what formalism? »It is formally stated in the language of mathematics l What kind of model is it? (confidentiality, integrity, hybrid, non-interference) »Confidentiality model, information flow. l What is the intended environment? »Military, classified and sensitive data. l What are the threats to address? »Disclosure

47 47 Summary of BLP Model l What are the security objectives ? »The protection of classified and sensitive data from internal or external disclosure to an unauthorized party. »Downgrading, object creation/deletion, changing the current access set, changing the access matrix are allowed and must be done in a manner consistent with the above. »It does not address integrity, availability, auditing, I&A, management of security levels, etc. l What is the basic structure and what are the elements/components? »State machine model with subjects, objects, attributes, and security levels, 4 state-holding components access control matrix, object hierarchy, access permission matrix, level function.

48 48 Summary of BLP Model l What are the fundamental issues/properties? »Simple security property: no read up. »‘*’ Property: no write down. »Discretionary security property: have to pass SS and * first. »Tranquillity property (cannot change security level once instantiated) »Compatibility (security level of child cannot dominate security level of parent) l How is it justified that the policy/model counters the threats? »The Basic Security Theorem and 3 underlying theorems. »Rules were shown consistent with security properties by Bell in 1976 (year after the model was released).

Download ppt "1 Security Policy Models The Bell- LaPadula Model Elisabeth C. Sullivan CSE527."

Similar presentations

Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Access Control Methodologies

Access Control Methodologies
I NFORMATION S ECURITY : C ONFIDENTIALITY P OLICIES (C HAPTER 4) Dr. Shahriar Bijani Shahed University.

I NFORMATION S ECURITY : C ONFIDENTIALITY P OLICIES (C HAPTER 4) Dr. Shahriar Bijani Shahed University.
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.

Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
Secure Operating Systems Lesson 0x11h: Systems Assurance.

Secure Operating Systems Lesson 0x11h: Systems Assurance.
Bell-LaPadula Model. www.wiley.com/go/gollmann2 Why Security Models?  When we have implemented a security policy, do we know that it will (and can) be.

Bell-LaPadula Model. Why Security Models?  When we have implemented a security policy, do we know that it will (and can) be.
April 20, 2004ECS 235Slide #1 DG/UX System Provides mandatory access controls –MAC label identifies security level –Default labels, but can define others.

April 20, 2004ECS 235Slide #1 DG/UX System Provides mandatory access controls –MAC label identifies security level –Default labels, but can define others.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.

Chapter 2 Access Control Fundamentals. Chapter Overview Protection Systems Mandatory Protection Systems Reference Monitors Definition of a Secure Operating.
1 Relations: The Second Time Around Chapter 7 Equivalence Classes.

1 Relations: The Second Time Around Chapter 7 Equivalence Classes.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 11 Jonathan Katz.
Sicurezza Informatica Prof. Stefano Bistarelli

Sicurezza Informatica Prof. Stefano Bistarelli
Information Systems Security Security Architecture Domain #5.

Information Systems Security Security Architecture Domain #5.
User Domain Policies.

User Domain Policies.
7/15/2015 5:04 PM Lecture 4: Bell LaPadula James Hook CS 591: Introduction to Computer Security.

7/15/2015 5:04 PM Lecture 4: Bell LaPadula James Hook CS 591: Introduction to Computer Security.
Lecture 7 Access Control

Lecture 7 Access Control
Dr. Kalpakis CMSC 621, Advanced Operating Systems. Fall 2003 URL: Security & Protection.

Dr. Kalpakis CMSC 621, Advanced Operating Systems. Fall 2003 URL: Security & Protection.

Similar presentations

Ads by Google