Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mandatory Access Control

Published byТаисия Моргун Modified over 5 years ago

Similar presentations

Presentation on theme: "Mandatory Access Control"— Presentation transcript:

1 Mandatory Access Control

2 Multilevel Security (MLS)
MLS needed when subjects/objects at different levels access the same system MLS is a form of Access Control Military and Government interest in MLS for many decades Lots of research into MLS Strengths and weaknesses of MLS well understood (almost entirely theoretical) Many possible uses of MLS outside military

3 MLS Applications Classified Government/Military systems
Business example: info restricted to Senior Management only, All Management, Everyone in company, or General public Network firewall Confidential medical info, databases, etc. Usually, MLS are not really a technical system More like part of a legal structure

4 MLS Security Models MLS models explain what needs to be done
Models do not tell you how to implement Models are descriptive, not prescriptive That is, high-level description, not an algorithm There are many MLS models We’ll discuss simplest MLS model Other models are more complex, more difficult to enforce, harder to verify, etc.

5 1. Bell-LaPadula (BLP) BLP security model designed to express essential requirements for MLS Captures the minimal requirements with respect to the Confidentiality. BLP deals with Confidentiality To prevent unauthorized reading Let’s assume that O is an object, S is a subject Object O has a Classification Subject S has a Clearance Security level denoted L(O) and L(S)

6 Bell-LaPadula BLP consists of No read up, no write down
Simple Security Condition: S can read O if and only if (iff) L(O)  L(S) *-Property (Star Property): S can write O if and only if (iff) L(S)  L(O) No read up, no write down

7 Bell-LaPadula: Basics
Mandatory access control Entities are assigned security levels Subject has security clearance L(S) = ls Object has security classification L(O) = lo Simplest case: Security levels are arranged in a linear order li < li+1 Example Top Secret > Secret > Confidential >Unclassified

8 “No Read Up” Information is allowed to flow up, not down
Simple security property: S can read O if and only if lo ≤ ls and S has discretionary (available for use) read access to O Combines mandatory (security levels) and discretionary (permission required) Prevents subjects from reading objects at higher levels (No Read Up Rule)

9 “No Write Down” Information is allowed to flow up, not down *property
S can write O if and only if ls ≤ lo and S has write access to O Combines mandatory (security levels) and discretionary (permission required) Prevents subjects from writing to objects at lower levels (No Write Down Rule)

10 Example Remember: No read up, no write down security level subject
object Top Secret Tamara Personnel Files Secret Samuel Files Confidential Claire Activity Logs Unclassified Ulaley Telephone Lists Tamara can read which objects? And she can write? Claire cannot read which objects? And she cannot write? Ulaley can read which objects? And she can write? Remember: No read up, no write down

11 BLP: The Bottom Line BLP is simple, probably too simple
BLP is one of the few security models that can be used to prove things about systems BLP has inspired other security models Most other models try to be more realistic Other security models are more complex Models difficult to analyze, apply in practice

12 Biba’s Model BLP for confidentiality, Biba for integrity
Biba is to prevent unauthorized writing Biba is (in a sense) the dual of BLP Integrity model Suppose you trust the integrity of O1 but not O2 If object O includes O1 and O2 then you cannot trust the integrity of O Integrity level of O is minimum of the integrity of any object in O Low water mark principle for integrity For confidentiality: we apply high water mark

13 Biba’s Integrity Policy Model
Based on Bell-LaPadula Subject, Objects have Integrity Levels with dominance relation Higher levels More reliable/trustworthy More accurate

14 Biba Let I(O) denote the integrity of object O and I(S) denote the integrity of subject S Biba can be stated as Write Access Rule: S can write O if and only if I(O)  I(S) (otherwise O will be contaminated with the untrusted S) Biba’s Model: S can read O if and only if I(S)  I(O) (otherwise S will be contaminated with the untrusted O) It is very restrictive, so it is often replaced with Low Water Mark Policy: If S reads O, then I(S) = Min( I(S) , I(O) )

15 Biba’s model Strict Integrity Policy (dual of Bell-LaPadula)
Note: you may think of it as a military command S can read O iff I(S) ≤ I(O) (No Read-Down) Why? S can write O iff I(O) ≤ I(S) (No Write-Up)

16 BLP vs. Biba BLP Biba l e v high low L(O2) L(O1) L(O) Confidentiality
I(O2) I(O1) I(O) Biba Integrity

Download ppt "Mandatory Access Control"

Similar presentations

ACCESS-CONTROL MODELS

ACCESS-CONTROL MODELS
Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
Lecture 8 Access Control (cont)

Lecture 8 Access Control (cont)
I NFORMATION S ECURITY : C ONFIDENTIALITY P OLICIES (C HAPTER 4) Dr. Shahriar Bijani Shahed University.

I NFORMATION S ECURITY : C ONFIDENTIALITY P OLICIES (C HAPTER 4) Dr. Shahriar Bijani Shahed University.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.

Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.

1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.
Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.

Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
Sicurezza Informatica Prof. Stefano Bistarelli

Sicurezza Informatica Prof. Stefano Bistarelli
User Domain Policies.

User Domain Policies.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.
Policy, Models, and Trust 1. Security Policy A security policy is a well-defined set of rules that include the following: Subjects: the agents who interact.

Policy, Models, and Trust 1. Security Policy A security policy is a well-defined set of rules that include the following: Subjects: the agents who interact.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Assistant Professor, SIS Lecture 5 September 27, 2007 Security Policies Confidentiality Policies.

1 IS 2150 / TEL 2810 Introduction to Security James Joshi Assistant Professor, SIS Lecture 5 September 27, 2007 Security Policies Confidentiality Policies.
Security Policy Models CSC 482/582: Computer Security.

Security Policy Models CSC 482/582: Computer Security.
CH14 – Protection / Security. Basics Potential Violations – Unauthorized release, modification, DoS External vs Internal Security Policy vs Mechanism.

CH14 – Protection / Security. Basics Potential Violations – Unauthorized release, modification, DoS External vs Internal Security Policy vs Mechanism.
Computer Science 653 Lecture Authorization

Computer Science 653 Lecture Authorization

Similar presentations

Ads by Google