1. Lattice-Based Access Control Models Ravi S. Sandhu Colorado State University CS 681 Spring 2005 John Tesch

2. Motivation Examine the theoretical foundations of lattice-based access control Show how the basic security objectives of confidentiality, integrity and availability are related to information flow policy Relevancy of models to commercial applications Support for the Chinese Wall argument

3. Background 1975 Bell-LaPadula – “Secure Computer Systems: Mathematical Foundations and Model” 1976 Denning – “A Lattice Model of Secure Information Flow” 1977 Biba – “Integrity Considerations for Secure Computer Systems” 1989 Chinese Wall – “The Chinese Wall Security Policy” 1992 Sandhu – “Lattice-Based Enforcement of Chinese Walls” 1993 Sandhu – “Lattice-Based Access Control Models”

4. Security Models Bell-LaPadula – Confidentiality Biba – Integrity Chinese Wall (Brewer-Nash) – Conflict of Interest

5. Lattice Model Denning – 1976 Purpose – Guarantee Secure Information Flow Use mathematical framework to formulate requirements Unify all systems that restrict information flow Lead to automatic certification programs Denning uses a set of axioms to limit program code that will violate security classes Sandhu uses the axioms to control information flow at the model level

6. Denning Lattice Model Denning’s Flow Model – FM = where: N = Objects P = Processes SC = Security Classes  = Join operation on SC  = Can-flow relation on SC Assumption is static security classes (not objects)

7. Denning Lattice Example : High-Low policy (H  H) H  H = H (L  L) L  L = L (L  H) L  H = H (H not  L) H  L = H

8. Dennings Axioms 1. The set of security classes is finite 2. The can-flow relation, , is a partial order on SC 3. SC has a lower bound with respect to  4. The join operator, , is a totally defined least upper bound operator

9. Information Flow Definitions 1. Information Flow Policy - 2. Denning’s axioms 3. Dominance – A  B if and only if B  A.

10. Sandhu Definitions Users – Humans Subjects – Processes Objects – files Access matrix – subject X objects Cell [s,o] = access rights Owner can modify cell – discretionary

11. Bell-LaPadula Model Begin with discretionary control Add authorization policy without user control (security labels) Object – security classification User – security clearance Tranquility – User cannot change labels

12. Bell-LaPadula Model Simple security property – (human or process) s reads o only if (s)  (o) or (o)  (s) *- security property – (process) s reads o only if (s)  (o) or (s)  (o) Covert channels out of scope

13. Biba Model Flow from top to bottom Simple integrity property – s reads o only if  (s)   (o) Integrity * property – (process) s reads o only if  (s)   (o)

14. Combining BLP and Biba Subject s can read object o only if (s)  (o) and  (s)   (o) Subject s can write object o only if (s)  (o) and  (s)   (o) Can make a single lattice but you would have to reverse the hierarchy and rules of either BLP or Biba

15. Conclusions By applying the Denning’s lattice model axioms to BLP and Biba, information flow can be clearly defined. The axioms cannot take into effect the problem with covert channels The lattice is considered to be static The paper focus is on the correctness of the lattice, not so much on the application to BLP and Biba

16. Discussion Does Sandhu adequately describe the lattice-based control using the semantics from Denning? Are there systems that use a single lattice with both BLP and Biba? How much of a performance hit is caused by covert channels? Can the lattice handle the management of the access control in BLP?