Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Announcement: End of Campaign Celebration When: Wednesday, October 1, 15:30 Where: New building site (NW corner 3 rd & University) Please attend and.

Published byFay Reed Modified over 8 years ago

Similar presentations

Presentation on theme: "1 Announcement: End of Campaign Celebration When: Wednesday, October 1, 15:30 Where: New building site (NW corner 3 rd & University) Please attend and."— Presentation transcript:

1 1 Announcement: End of Campaign Celebration When: Wednesday, October 1, 15:30 Where: New building site (NW corner 3 rd & University) Please attend and show your appreciation for donors, trustees, and others who’ve made this happen

2 CS526: Information Security Chris Clifton September 30, 2003 Bell-LaPadula Model

3 3 Confidentiality Policy: Bell-LaPadula Model Formally models military-style classification –Multi-level access control Mandatory Access Control –Clearance Discretionary Access Control –Need to Know First real attempt to model and prove security of real systems

4 4 Bell-LaPadula: Basics Mandatory access control (Security Level) –Subject has clearance L(S) = l s –Object has classification L(O) = l o –Clearance/Classification ordered l i < l i+1 Discretionary access control –Matrix: Subject has read (write) on Object Need both to perform operation

5 5 Access Rules (Preliminary) S can read O if and only if –l o ≤ l s and –S has discretionary read access to O S can write O if and only if –l s ≤ l o and –S has discretionary write access to O Secure system: One with above properties Theorem: Let Σ be a system with secure initial state σ 0, T be a set of state transformations –If every element of T follows rules, every state σ i secure –Proof - induction

6 6 Categories Total order of classifications not flexible enough –Alice cleared for missiles –Bob cleared for warheads –Both cleared for targets Solution: Categories –Set of compartments –S can access O if C(S)  C(O) Combining with clearance: –(L,C) dominates (L’,C’)  L’ ≤ L and C’  C –Induces lattice instead of levels

7 7 Access Rules Simple Security Condition: S can read O if and only if –S dom O and –S has discretionary read access to O *-Property: S can write O if and only if –O dom S and –S has discretionary write access to O Secure system: One with above properties Theorem: Let Σ be a system with secure initial state σ 0, T be a set of state transformations –If every element of T follows rules, every state σ i secure

8 8 Problem: No write-down Cleared subject can’t talk to non-cleared subject Any write from l i to l k, i > k, would violate *- property –Subject at l i can only write to l i and above Any read from l k to l i, i > k, would violate simple security property –Subject at l k can only read from l k and below Subject at level i can’t write something readable by subject at k –Not very practical

9 9 Solution: Active Level Subject has maximum and current level –M–Maximum must dominate current –R–Rules apply to current security level What does this mean for security? –S–Subject is trusted when maximum  current

10 10 Instantiating the Model What must be defined? –Levels –Categories –Subjects, objects –Meaning of read and write

11 CS526: Information Security Chris Clifton February 10, 2003 Bell-LaPadula Formal Model

12 12 Formalizing Bell-LaPadula: System consists of Set of subjects S Set of objects O Set of rights P = { r (read), a (write), w (read/write), e (empty)} Set of possible access control matrices M Set of classifications C Set of categories K Levels L = C  K Set F of tuples (f s, f o, f c ) representing –f s : Maximum security level of subject –f o : Security level of object –f c : Current security level of subject

13 13 Formalizing Bell-LaPadula Objects in a hierarchy h: O  P(O) –o i  o j  h(o i )  h(o j ) =  (no two nodes at same point) –There is no { o 1, o 2, …, o k }  O such that  i = 1,…,k, o i+1  h(o i ) and o k+1 = o 1 (no cycles) State v  V is a 4-tuple (b,m,f,h) –b  P(S  O  P) indicates which subjects can access which objects and what the rights are R denotes requests for access D set of outcomes –yes, no, illegal, error Actions W  R  D  V  V –Request leads to outcome, moving from one state to another System Σ(R, D, W, z 0 )  R N  D N  V N –Set of states that result from a given set of actions –(r,d,v,v’)  W an action of Σ iff  time t, (x,y,z)  Σ such that (r,d,v,v’) = (x t,y t,z t,z t-1 )

14 14 A System is Secure if it Satisfies: Simple security condition satisfied for (s, o, p)  S  O  P relative to f iff –p = e or p = a –p = r or p = w and f s (s) dom f o (o) *-property satisfied for (b, m, f, h) iff  s  S –b(s:a)    [  o  b(s: a) [f o (o) dom f c (s)]] –b(s:w)    [  o  b(s: w) [f o (o) = f c (s)]] –b(s:r)    [  o  b(s: r) [f c (s) dom f o (o)]] Discretionary security property satisfied for (b, m, f, h) iff  (s, o, p)  b, p  m[s,o]

15 CS526: Information Security Chris Clifton October 2, 2003 Bell-LaPadula Model: Application to Multics

16 16 Theorem: Simple Security Condition Σ(R, D, W, z 0 ) satisfies simple security condition for any secure z 0 iff  actions (r, d, (b, m, f, h), (b’, m’, f’, h’)), W satisfies –  (s, o, p)  b – b’ ssc satisfied relative to f –  (s, o, p)  b’ not satisfying ssc relative to f, (s, o, p)  b Proof: –If: Induction – each transition maintains secure state –Only if: A transition from a secure to non-secure state requires an action not satisfying ssc

17 17 Theorem: *-property Σ(R, D, W, z 0 ) satisfies *-property relative to S’  S for any secure z 0 iff  actions (r, d, (b, m, f, h), (b’, m’, f’, h’)), W satisfies  s  S’ –  (s, o, p)  b – b’, *-property satisfied for S’ –  (s, o, p)  b not satisfying *-property for S’, (s, o, p)  b’ Proof similar Similar theorem for ds-property Basic Security Theorem: Σ(R, D, W, z 0 ) secure if z 0 secure and W satisfies conditions of above theorems

18 18 Transformation Rules ρ:R  V  D  V –Takes request and state, produces outcome and state ρ is ssc-preserving if  (r,v)  R  V where v satisfies ssc rel f, –ρ(r,v) = (d,v’)  v’ satisfies ssc rel f’ ω = {ρ 1, …, ρ m }. For r  R, d  D, and v,v’  V –(r, d, v, v’)  W(ω)  d  i and  1 ≤ i ≤ m such that ρ i (r,v) = (d,v’) –If request is legal and only one rule causes change, corresponding action exists

19 19 Transformation Theorems Let ω be a set of ssc-preserving rules, z 0 a state satisfying ssc. –Σ(R, D, W(ω), z 0 ) satisfies the simple security condition Proof: Assume z t not secure, z t-1 secure. –Forces rule not meeting ssc-preserving rule definition Similar definitions, theorems for other properties

20 CS526: Information Security Chris Clifton February 12, 2003 Bell-LaPadula Model: Application to Multics

21 21 Multics: Background Early time-sharing operating system –Previous computers processed batch jobs one at a time Security policy easy to enforce –Time sharing introduces new challenges Five categories of rules –Requests for access –Permission granting –Object reclassification –Delete object –Subject reclassification Trusted users: *-property not enforced

22 22 Rule List (all rules return yes/no) Access requests:R (1) = Q  S  O  M –get-read, get-append, get-execute, get-write –release-read, append, execute, write Permission granting:R (2) = S  Q  S  O  M –give/rescind read/append/execute/write Object reclassification:R (3) = Q  S  O  L –create-object, change-object-security-level Delete object: R (4) = S  O –delete-object-group deletes object and children Subject reclassification:R (5) = S  L –change-subject-current-security-level

23 23 Modeling with Bell-LaPadula: get-read r = (get, s, o, r)  R (1) request v = (b, m, f, h)system state if ( r  Δ(ρ 1 ) ) then ρ 1 (r,v) = (i, v)bad arguments else if (f s (s) dom f o (o) ssc preserving and [ s  S T or f c (s) dom f o (o) ] *-property and r  m[s,o]) discretionary access control then ρ 1 (r,v) = (y, (b  { (s, o, r) }, m, f, h)) else ρ 1 (r,v) = (n, v) Theorem: get-read is secure –Assume v secure –Either v’ = v, or v’ = v with { (s, o, r) } added to accesses (s, o, r) must satisfy security properties to reach where it is added Similar rules for get-append, execute, write

24 24 Modeling with Bell-LaPadula: give-read Idea: give-read allowed if requester can write to parent of object –Based on hierarchy of objects –Special handling of root: set of subjects allowed requests r = (s 1, give, s 2, o, r)  R (2), v = (b, m, f, h) if ( r  Δ(ρ 6 ) ) then ρ 6 (r,v) = (i, v) else if ([ o  root(o) and parent(o)  root(o) and parent(o)  b(s 1 : w) ] or [parent(o) = root(o) and canallow(s 1, o, v) ] or [o = root(o) and canallow(s 1, root(o), v) ] ) then ρ 6 (r,v) = (y, (b, m + m[s 2,o]  r, f, h)) else ρ 6 (r,v) = (n, v) Theorem: give-read is secure –Only possible change is to access control matrix No effect on mandatory access control policies –discretionary security property definition:  (s,o,p)  b, p  m[s,o] b = b’, m  m’

25 25 Multics: Other Rules State v = (b, m, f, h) Create/reclassify –W–What needs to be checked? Delete –D–Does this affect mandatory access control? Change security level How do we model these? –S–See the homework

26 26 Will this guarantee Multics is Secure? Demonstrates design secure –Implementation must enforce rules Reduces problem –Smaller “compartments” that must be validated Examples –Rule returns right answer –access only if in b –Others?

Download ppt "1 Announcement: End of Campaign Celebration When: Wednesday, October 1, 15:30 Where: New building site (NW corner 3 rd & University) Please attend and."

Similar presentations

Information Flow and Covert Channels November, 2006.

Information Flow and Covert Channels November, 2006.
CS4231 Parallel and Distributed Algorithms AY 2006/2007 Semester 2 Lecture 6 Instructor: Haifeng YU.

CS4231 Parallel and Distributed Algorithms AY 2006/2007 Semester 2 Lecture 6 Instructor: Haifeng YU.
6.1 Vector Spaces-Basic Properties. Euclidean n-space Just like we have ordered pairs (n=2), and ordered triples (n=3), we also have ordered n-tuples.

6.1 Vector Spaces-Basic Properties. Euclidean n-space Just like we have ordered pairs (n=2), and ordered triples (n=3), we also have ordered n-tuples.
I NFORMATION S ECURITY : C ONFIDENTIALITY P OLICIES (C HAPTER 4) Dr. Shahriar Bijani Shahed University.

I NFORMATION S ECURITY : C ONFIDENTIALITY P OLICIES (C HAPTER 4) Dr. Shahriar Bijani Shahed University.
ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.

ITIS 3200: Introduction to Information Security and Privacy Dr. Weichao Wang.
Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.

Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality model Bell-LaPadula Model –General idea –Informal description of rules.
Access Control Intro, DAC and MAC System Security.

Access Control Intro, DAC and MAC System Security.
1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.

1 Confidentiality Policies CSSE 490 Computer Security Mark Ardis, Rose-Hulman Institute March 18, 2004.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.

Confidentiality Policies  Overview  What is a confidentiality model  Bell-LaPadula Model  General idea  Informal description of rules  Formal description.
1 Introduction to Computability Theory Lecture13: Mapping Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture13: Mapping Reductions Prof. Amos Israeli.
Bell-LaPadula Model. www.wiley.com/go/gollmann2 Why Security Models?  When we have implemented a security policy, do we know that it will (and can) be.

Bell-LaPadula Model. Why Security Models?  When we have implemented a security policy, do we know that it will (and can) be.
June 1, 2004Computer Security: Art and Science ©2002-2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.

June 1, 2004Computer Security: Art and Science © Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
April 20, 2004ECS 235Slide #1 DG/UX System Provides mandatory access controls –MAC label identifies security level –Default labels, but can define others.

April 20, 2004ECS 235Slide #1 DG/UX System Provides mandatory access controls –MAC label identifies security level –Default labels, but can define others.
1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.

1 cs691 chow C. Edward Chow Confidentiality Policy CS691 – Chapter 5 of Matt Bishop.
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #5-1 Chapter 5: Confidentiality Policies Overview –What is a confidentiality.
Sicurezza Informatica Prof. Stefano Bistarelli

Sicurezza Informatica Prof. Stefano Bistarelli
November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.

November 1, 2004Introduction to Computer Security ©2004 Matt Bishop Slide #6-1 Chapter 6: Integrity Policies Overview Requirements Biba’s models Clark-Wilson.
Dr. Kalpakis CMSC 621, Advanced Operating Systems. Fall 2003 URL: Security & Protection.

Dr. Kalpakis CMSC 621, Advanced Operating Systems. Fall 2003 URL: Security & Protection.
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.

Similar presentations

Ads by Google