Chapter 5: Confidentiality Policies Overview What is a confidentiality model Bell-LaPadula Model General idea Informal description of rules November 1, 2004 Introduction to Computer Security ©2004 Matt Bishop

Confidentiality Policy Also called Information Flow Policy; Goal: prevent the unauthorized disclosure of information Deals with information flow; Unauthorized alteration of information (integrity) is secondary; Multi-level security models are best-known examples Bell-LaPadula Model basis for many, or most, of these November 1, 2004 Introduction to Computer Security ©2004 Matt Bishop

Bell-LaPadula Model, Step 1 Security levels arranged in linear ordering Top Secret: highest Secret Confidential Unclassified: lowest A subject has security clearance L(S); An object has a security classification L(O);

Example https://image1.slideserve.com/2402281/the-bell-lapadula-model-n.jpg

Reading Information Information flows up, not down “Reads up” disallowed, “reads down” allowed Simple Security Condition (Preliminary Version) Subject s can read object o iff L(o) ≤ L(s) and s has permission to read o Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission) Sometimes called “no reads up” rule November 1, 2004 Introduction to Computer Security ©2004 Matt Bishop

Writing Information Information flows up, not down “Writes up” allowed, “writes down” disallowed *-Property (Star Property, Preliminary Version) Subject s can write object o iff L(s) ≤ L(o) and s has permission to write o Sometimes called “no writes down” rule

No Write Down https://www.happyschools.com/wp-content/uploads/2015/09/university-organization-chart.jpg

Basic Security Theorem, Step 1 If a system is initially in a secure state, and every transition of the system satisfies the simple security condition (preliminary version), and every transition of the system satisfies the and the *-property (preliminary version), then every state of the system is secure;

Bell-LaPadula Model, Step 2 College of Computing and Software Engineering Department of Computer Science Department of Information Technology Department of Software Engineering

Bell-LaPadula Model, Step 2 TOP SECRET NUC EUR US SECRET CONFIDENTIAL UNCLASSIFIED

Bell-LaPadula Model, Step 2 Security level is (clearance, category set) Examples ( Top Secret, { NUC, EUR, US } ) ( Confidential, { EUR, US } ) ( Secret, { NUC, US } ) Subject s: ( Top Secret, { NUC, EUR } ) Object o: ( Confidential, {US } ) Should s have access to o?

Levels Definition: (L, C) dom (L, C) iff L ≤ L and C  C Examples (Top Secret, {NUC, US}) dom (Secret, {NUC}) (Secret, {NUC, EUR}) dom (Confidential,{NUC, EUR}) (Top Secret, {NUC}) dom (Confidential, {EUR}) “dominates” serves the role of “greater than” in step 1

Example George: (Secret, {NUC, EUR}) DocA: (Confidential, {NUC}) DocB: (Secret, {EUR, US}) DocC: (Secret, {EUR}) George dom DocA? George dom DocB? George dom DocC?

Reading Information Information flows up, not down “Reads up” disallowed, “reads down” allowed Simple Security Condition (Step 2) Subject s can read object o iff L(s) dom L(o) and s has permission to read o Sometimes called “no reads up” rule

Writing Information Information flows up, not down *-Property (Step 2) “Writes up” allowed, “writes down” disallowed *-Property (Step 2) Subject s can write object o iff L(o) dom L(s) and s has permission to write o Sometimes called “no writes down” rule

Basic Security Theorem, Step 2 If a system is initially in a secure state, and every transition of the system satisfies the simple security condition (step 2), and every transition of the system satisfies the *-property (step 2), then every state of the system is secure