1. Chapter 5: Confidentiality Policies
Overview
What is a confidentiality model
Bell-LaPadula Model
General idea
Informal description of rules
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop

2. Confidentiality Policy
Also called Information Flow Policy;
Goal: prevent the unauthorized disclosure of information
Deals with information flow;
Unauthorized alteration of information (integrity) is secondary;
Multi-level security models are best-known examples
Bell-LaPadula Model basis for many, or most, of these
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop

3. Bell-LaPadula Model, Step 1
Security levels arranged in linear ordering
Top Secret: highest
Secret
Confidential
Unclassified: lowest
A subject has security clearance L(S);
An object has a security classification L(O);

4. Example

5. Reading Information Information flows up, not down
“Reads up” disallowed, “reads down” allowed
Simple Security Condition (Preliminary Version)
Subject s can read object o iff L(o) ≤ L(s) and s has permission to read o
Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission)
Sometimes called “no reads up” rule
November 1, 2004
Introduction to Computer Security
©2004 Matt Bishop

6. Writing Information Information flows up, not down
“Writes up” allowed, “writes down” disallowed
*-Property (Star Property, Preliminary Version)
Subject s can write object o iff L(s) ≤ L(o) and s has permission to write o
Sometimes called “no writes down” rule

7. No Write Down

8. Basic Security Theorem, Step 1
If a system is initially in a secure state, and
every transition of the system satisfies the simple security condition (preliminary version), and
every transition of the system satisfies the and the *-property (preliminary version),
then every state of the system is secure;

9. Bell-LaPadula Model, Step 2
College of Computing and Software Engineering
Department of Computer Science
Department of Information Technology
Department of Software Engineering

10. Bell-LaPadula Model, Step 2
TOP SECRET
NUC
EUR US
SECRET
CONFIDENTIAL
UNCLASSIFIED

11. Bell-LaPadula Model, Step 2
Security level is (clearance, category set)
Examples
( Top Secret, { NUC, EUR, US } )
( Confidential, { EUR, US } )
( Secret, { NUC, US } )
Subject s: ( Top Secret, { NUC, EUR } )
Object o: ( Confidential, {US } )
Should s have access to o?

12. Levels Definition: (L, C) dom (L, C) iff L ≤ L and C  C Examples
(Top Secret, {NUC, US}) dom (Secret, {NUC})
(Secret, {NUC, EUR}) dom (Confidential,{NUC, EUR})
(Top Secret, {NUC}) dom (Confidential, {EUR})
“dominates” serves the role of “greater than” in step 1

13. Example George: (Secret, {NUC, EUR}) DocA: (Confidential, {NUC})
DocB: (Secret, {EUR, US})
DocC: (Secret, {EUR})
George dom DocA?
George dom DocB?
George dom DocC?

14. Reading Information Information flows up, not down
“Reads up” disallowed, “reads down” allowed
Simple Security Condition (Step 2)
Subject s can read object o iff L(s) dom L(o) and s has permission to read o
Sometimes called “no reads up” rule

15. Writing Information Information flows up, not down *-Property (Step 2)
“Writes up” allowed, “writes down” disallowed
*-Property (Step 2)
Subject s can write object o iff L(o) dom L(s) and s has permission to write o
Sometimes called “no writes down” rule

16. Basic Security Theorem, Step 2
If a system is initially in a secure state,
and every transition of the system satisfies the simple security condition (step 2),
and every transition of the system satisfies the *-property (step 2),
then every state of the system is secure