Advanced System Security Dr. Wayne Summers Department of Computer Science Columbus State University Summers_wayne@colstate.edu http://csc.colstate.edu/summers

Models of Security Security models are used to Test a particular policy for completeness and consistency Document a policy Help conceptualize and design an implementation Check whether an implementation meets its requirements

Models of Security Want to build a model to represent a range of sensitivities and to reflect need to separate subjects from objects to which they should not have access. Use the lattice model of security military security model where <= in the model is the relation operator in the lattice (transitive, antisymmetric)

Chapter 5 – Confidentiality Policies Confidentiality policy (information flow policy) Military Security Policy based on protecting classified information Information access is limited by need-to-know rule Each piece of classified info is associated with a compartment Class (classification) - <rank; compartment> Clearance - indication that person is trusted to access info up to a certain level of sensitivity

Bell-LaPadula Model was proposed by Bell and LaPadula of MITRE for enforcing access control in government and military applications. It corresponds to military-style classifications. In such applications, subjects and objects are often partitioned into different security levels. A subject can only access objects at certain levels determined by his security level. For instance, the following are two typical access specifications: ``Unclassified personnel cannot read data at confidential levels'' and ``Top-Secret data cannot be written into the files at unclassified levels''

Informal Description Simplest type of confidentiality classification is a set of security clearances arranged in a linear (total) ordering. Clearances represent the security levels. The higher the clearance, the more sensitive the info. Basic confidential classification system: individuals documents Top Secret (TS) Tamara, Thomas Personnel Files Secret (S) Sally, Samuel Electronic Mails Confidential (C) Claire, Clarence Activity Log Files Unclassified (UC) Ulaley, Ursula Telephone Lists

Mandatory and Discretionary Access Control Bell-LaPadula model combines Mandatory and Discretionary Access Controls. “S has discretionary read (write) access to O” means that the access control matrix entry for S and O corresponding to the discretionary access control component contains a read (write) right. A B C D O Q S read(D) T If the mandatory controls not present, S would be able to read (write) O.

The Bell-LaPadula Model Dominance – s <= O iff ranks <= ranko and compartmentss <= compartmentso Simple Security Condition: S can read O iff lo <= ls and S has discretionary read access to O. (Clearance level of subject is at least as high as that of the information) *-Property: S can write O iff ls <= lo and S has discretionary write access to O. The *-property is used to prevent write-down (subject with access to high-level data transfers that data by writing it to a low-level object.) A secure system has both the simple security condition and the *-property.

The Bell-LaPadula Model discretionary security property (ds property): subjects may pass permission/clearance to other subjects A system is secure if it satisfies the simple security condition, the *-property, and the discretionary security property.

The Bell-LaPadula Model Get-read rule enables a subject s to request the right to read an object o. [preserves both the simple security condition and the *-property.] Give-read rule enables a subject s to give subject t the (discretionary) right to read an object o. [preserves both the simple security condition and the *-property.]

5.3 Tranquility The principal of strong tranquility states that security levels do not change during the lifetime of the system. The principal of weak tranquility states that security levels do not change in a way that violates the rules of a given security policy.