1 Security Policy Models The Bell- LaPadula Model Elisabeth C. Sullivan CSE527.
48
Security Policy Models The Bell- LaPadula Model Elisabeth C. Sullivan CSE527
-
Upload
bonnie-mason -
Category
Documents
-
view
223 -
download
0
Transcript of 1 Security Policy Models The Bell- LaPadula Model Elisabeth C. Sullivan CSE527.
1
Security Policy ModelsThe Bell- LaPadula Model
Elisabeth C. Sullivan
CSE527
2
Confidentiality Policies Recall Confidentiality is the protection of information
from unauthorized disclosure. Confidentiality policies are concerned about the illicit
transmission of information. Most frequently used in Military or Government
systems. » Often based on clearances and classification
They are also called information flow policies. We will focus on the Bell and La Padula model in
this category
3
Bell LaPadula (BLP)Historical Perspective
A state machine model written in the 1970’s, at MITRE, Bedford MA» Under contract with the Air Force.» For the Multics operating system.
Has been the most influential model of security over the past ~30 years. » The policy in the BLP model and some of the elements of
the model are embedded within the TCSEC. It purports to implement the Department of Defense (DoD) security policy.
Has been much debated over the years.
4
What is the TCSEC? The Trusted Computer System Evaluation Criteria
» AKA “The Orange Book”
Written by the DoD to describe the security and assurance requirements necessary for government and military systems» Defined several “rating classes”, which were inclusive and increasing
C2, B1, B2, B3, A1» Operating system centric
Used for 17 years as the de facto standard for trusted systems
Retired in 1999 in favor of a new criteria and methodology called the Common Criteria.
5
BLP: Anatomy of a Model Elements
» Fundamental definitions
Components» Four entities that describe a state
Properties» Four properties that the model describes
Rules» State transition operators
Theorems and proofs» Justifications and rationale
6
BLP Elements Subjects Objects Access Attributes Security Levels
7
BLP Elements: Subjects and Objects
Subjects: active entities (users, processes,…) Objects: passive entities (data, files, directories,…) Modeling pf subjects and objects
» BLP may model a system where no subjects are objects» BLP may model a system where all subjects are objects» BLP may model a system where only some subjects are
objects.
8
Remember these by what they do,
and not the names assigned to them
in the BLP literature or the text!
BLP Elements:Access Attributes
Observation with no alteration» read
Both alteration and observation» edit» read and write
Alteration with no observation» readless write, append
Neither observation nor modification » execute» search
9
BLP ElementsSecurity Levels
Security levels reflect information attached to subjects and objects that are used to make mandatory access control decisions.» In BLP, levels reflect issues of government clearances and
classification
The security level of a subject reflects the authorizations that subject has to information» In the case of BLP, the subjects maximum level is the
subject’s security clearance» The subject’s current level is lower than or equal to its
max level.
10
BLP ElementsSecurity Levels
The security level of an object reflects the protection requirements to that object» In the case of BLP, it is the object’s classification» An object has only one security level
11
BLP ElementsSecurity Levels
The security levels for the subjects and objects of a system form a single set
A security level has two parts:» A classification/clearance» A set of categories
The set has two operations defined on it» Equals, an equivalence relation» Dominates, a partial ordering
12
Classifications and Clearances
A clearance is granted to a user based on a requirement to work with classified data and a background investigation
A classification is assigned to information based on how sensitive the information is in terms of who can read it.
The classification/clearance designations (that we get to know about ;-) ) are » Top Secret T, Secret S, Confidential C, and Unclassified
U
» A fully ordered set where T > S > C > U
13
Categories and Category Sets A category is an additional sensitivity assignment
based on need-to-know.» Separate from the classification/clearance» Further restricts access
A category set is a subset of the set of all categories defined for the system
They are partially ordered by “contains” , the subsetting relation.» If the system supports 3 categories, A, B, C,» Then there are 8 possible category sets: {}, {A}, {B}, {C}, {A,B}, {A,C},
{B,C}, {A,B,C}» {A,B,C} {A,B}, {B,C} {B} and so forth.
14
Security Level Samples What are the possible security levels from the
previous slide» C ={T, S, C, U}, the set of possible clearances/classifications» K = [ {}, {A}, {B}. {C}, {A,B}, {A,C}, {B,C}, {A,B,C} ] the power
set of K, which defines all the categories in the system
List all the possible security levels» (T,{}) (T,{A}) (T,{B}) (T,{A,B}) (T,{A,C}) (T,{A,B}) (T,{A,B,C})» (S,{}) (S,{A}) (S,{B}) (S,{A,B}) (S,{A,C}) (S,{A,B}) (S,{A,B,C})» (C,{}) (C,{A}) (C,{B}) (C,{A,B}) (C,{A,C}) (C,{A,B}) (C,{A,B,C})» (U,{})
– Notice that categories do not apply to unclassified information.
15
Security Level Samples Suppose Mary’s security level is [S, {A, B}].
» Then Mary can access the following information:– Any information classified S or lower and has no categories– Any information classified S or lower and pertains to category A– Any information classified S or lower and pertains to the category B
» Mary CANNOT read information that is – Classified higher than S– Classified S or lower and has a category other than A or B associated with
it.
Suppose a file’s security level is {S, {A, B}]» It can be accessed only by subjects having a clearance of S or
better, and who have been read into BOTH category A and category B.
16
What is an Equivalence Relation?
An equivalence relation R on a set S such that For all elements x, y, z that are members of the set S (R is a partial ordering on S: x, y, z S) the following three things are true:» R is reflexive: xRx
» R is symmetric: if xRy then yRx
» R is transitive: If xRy and yRz then xRz
Example: = is a partial ordering.» For any number r, r = r.
» If x = y, then y = x
» If x = y, y = z, then x = z
17
What is a Partial Ordering? A partial ordering relation R on a set S such that
For all elements x, y, z that are members of the set S (R is a partial ordering on S: x, y, z S) the following three things are true:» R is reflexive: xRx
» R is antisymmetric: if xRy and yRx, then x=y
» R is transitive: If xRy and yRz then xRz
Example: is a partial ordering.» For any number r, r r.
» If x y, and y y, then x=y
» If x y, y z, then x z
18
Security Level Specifics The set of security levels is partially ordered by
the relation dominates. » Let SL1 = (class1, category-set 1) and SL2 = (class2,
category-set 2) then» SL1 dominates SL2 iff Class1 Class2 and» Category-set 1 category-set 2.
Notice that some security levels cannot be compared using dominates.» (S, {A}) does not dominate (S, {B})» (S, {B}) does not dominate (S, {A})
19
Security Levels Form a Lattice A lattice mathematical structure consisting of
» A finite set of discrete elements S» A partial ordering relation R on S: x, y, z S
– R is reflexive: xRx– R is antisymmetric: if xRy and yRx, then x=y– R is transitive: If xRy and yRz then xRz
» A function join on S: x, y S, join(x,y) = unique least upper bound (LUB) of x and y
» A function meet on S: x, y S, meet(x,y) = unique greatest lower bound (GLB) of x and y
20
BLP Security Level Lattice S is the set of all security levels
» Suppose the classifications are T, S, U » Suppose the categories are NATO and SIOP. Then
the possible category sets are– {}, {NATO}, {SIOP}, {NATO, SIOP}
» Then S = [ (T, {}), (T,{NATO}), (T,{SIOP}), (T,{NATO,SIOP}), (S, {}), (S,{NATO}), (S,{SIOP}), (S,{NATO,SIOP}), (U, {}) ].
R is dominates, as described for BLP» Convince yourself that dominates is reflexive,
antisymmetric and transitive.
21
BLP Security Level Lattice
join(x,y) is the unique least element j for which
j dominates x and j dominates y.» join ((T,{NATO}),(S,{NATO,SIOP}) is ((T,
{NATO,SIOP})» join ((S,{NATO}),(C,{SIOP})) is what element?
meet(x,y) is the unique greatest element m for which x dominates m and y dominates m.» meet ((T,{NATO}),(S,{NATO,SIOP}) is (S,{NATO}) » meet ((S,{NATO}),(C,{SIOP})) is what element?
22
E: BLP Example Hasse Diagram
U,{ }
S,{SIOP}S,{NATO}
T,{ }
Start with T,{NATO,SIOP}, the greatest SL. Call it MaxSL.
T,{NATO,SIOP}
T,{SIOP}T,{NATO}
S,{NATO,SIOP}
The next level is the set of all security levels x st maxlev dom x and there is no security level z st maxlev dom z dom x.
Connect the SLs from above to MaxSL with downward arrows, indicating the dominance relation.
For each of these 3 SLs, repeat the process above. In this step, each of the 3 SL points to two new SLs.
One more iteration from the 1 SL to the lowest SL completes the lattice and the arrows complete the Hasse diagram.
For each of these new SLs, repeat the process above. This time, each of the 3 SL points to one new SL.
Use the slide viewer on this slide!
S, { }
23
BLP Components The system state is defined in terms of the
following four values, called components» Current access set » Object hierarchy » Access permission matrix » Level function
24
BLP ComponentsAccess State
Current access set» Defines the access state as a set of triples
(subject, object, access-attribute).» “subject” has current “attribute” access to “object”.
Note this is *not* an access control matrix. » It does not identify all possible accesses» It identifies one possible state, which happens to be the
one the system is in right now.
25
BLP ComponentsObject Hierarchy
root 1 root2
Object hierarchy » A parent-child relation structure on objects. » Consists of rooted trees and isolated points.
26
BLP ComponentsObject Hierarchy
Compatibility property:» The security level of the parent dominates the security
level of the child
27
Access Permission Matrix One column for each object
(including subjects that are objects, if any).
one row for each subject. Cells contain sets of access
attributes The cell of ith row and the
jth column contains the access attributes of the ith subject in the matrix (Si)) to the jth object in the matrix, (Oj).
Access Permission Matrix
subjects
objects
Oj
Sir
Oj+1
28
Level Function “f” determines security levels for subjects and
objects.» It can be used to identify the maximum level a subject can
hold» It can be used to identify the current level at which the
subject is operating.» It can be used to identify the level of an object.
29
Definition of a System Inputs are called requests and outputs are called
decisions. The system is all sequences (request, decision,
state) with some initial state. What does it mean for the system to be secure?
30
BLP Simple Security Property (SS)
If a subject, object, access attribute triple is in the current access set, and the access attribute allows observation, then the current level of the subject dominates the level of the object.
Informally, “no readup” This is the first “half” of the MAC properties
31
BLP ‘*’ Property If a subject, object, access attribute triple is in the
current access set, then» The level of the object dominates current-level of the
subject if the attribute is alteration with no observation.» The level of the object equals current-level of the subject if
the access attribute is observe and alter.» the current level of the subject dominates the level of the
object if the access attribute is observe only.
Informally “no write down” The “second half” of the MAC properties
32
BLP Discretionary Security Property
A state satisfies the “ds” property if for each member of the current access set, the specified access mode is included in the access matrix entry for the corresponding subject-object pair.» Allows an individual to extend access to an object to
anyone that is allowed to observe the document under the SS and ‘*’ properties.
» Can only reduce the set of reachable states.
33
ds Property Note that the Access Permission Matrix describes
the discretionary access permissions, as already refined by the MAC constraints» essentially, MAC is “checked first”» Nothing gets into the access permission matrix unless it
meets both SS and ‘*’.
The Access Permission Matrix ties identity to permissions.
34
BLP Result 1The Inductive Nature of
Security A state is secure if and only if it satisfies the “SS”
property, the “*” property and the “ds” property. The Basic Security Theorem: If the initial state is
secure and every state transition results in a secure state then the system will always be in a secure state.» Illustrates the inductive nature of security.» There are three supporting theorems, one relating to each
of the three properties.
35
BLP Model Result TwoRules
Rules are what describes how the system moves from one state to another.» System inputs are called requests.» System outputs are called decisions.» A rule takes a request and the current state and
produces a decision and the next state.(request, current-state) (decision, next-state)
Rules are specific to system being modeled.» General model has 8 rules.
» Multix model has 11 rules.
36
BLP Result 3Rule Properties/System
Properties The system specified by a set of rules satisfies SS,
‘*’, and ds if each rule itself introduces no exception to these properties.
37
BLP Model Rules Altering current access
» get access (add a triple to the current access set)» release access (remove a triple from the current access set)
Alter level functions» change object level » change subject current-level
Alter access permission» give access (add an attribute to a cell of the access permission matrix))» rescind access (remove attribute from cell of access permission matrix))
Alter hierarchy» create object» delete a group of objects
38
Sample Rule:get_access
Inputs: subject, object, access attribute to be added preconditions:
» the ss property must hold for the proposed triple.– If the access is one of the two observe modes, the security level of
the subject must dominate the security level of the object.
» The ‘*’ property must hold for the proposed triple.– The object level dominates subject level if the attribute is alteration
with no observation.– The object level equals subject level if the access attribute is observe
and alter.– the subject dominates the level of the object if the access attribute is
observe only.
Effects: the triple is added to the current access set
39
BLP Enhancement Properties Tranquillity properties
» Added after the first McLean/Bell disagreement.» Addresses the issue of security levels changing
– Strong tranquility: Security levels of subjects and objects do not change, period.
– Weak tranquillity: security levels of subjects and objects never change in such a way that violates the security policy.
40
The Multics Interpretation of BLP
Subjects are (process,ring) pairs Objects are the usual Access attributes for data segments are the
same as in the model, but execute as defined as read or execute
Access attributes for directory segments:» execute is interpreted as search» read is interpreted as status» read/write is status and modify status.
41
The Multics Interpretation of BLP
Current access set represented by segment descriptor words
Access Permission Matrix is a big ACL Level information is in directory segments and
tables Branches are the object hierarchy.
42
BLP Rules For Multics
Altering current access» get-read» get-write-only» get-execute» get-read-write» release-read/execute/write
Alter access permission» give-read/write/execute» rescind-read/write/execute
Alter hierarchy» create-object» delete-object-group
Map to model rule get access
43
BLP Rules For Multics
Alter level functions» change-subject-security-level» change-object-security-level
Note these rules are given in the Multics model but are not implemented in the Multics kernel.» Means that Multics enforces Strong tranquillity…...
44
BLP Extras for Multics Trusted subjects:
» Not constrained by the ‘*’ property
» Defined by Bell and LaPadula “as a subject that is guaranteed not to consummate a security-breaching information transfer even if it is possible.”
– May have physical capability to violate policy but do not.
– Correct functioning is critical to system behavior.
Communications paths: covert timing channels, covert
storage channels Sabotage and Integrity: Bell and LaPadula distinguished
between them as “undesired” and “approved” erroneous modifications. The terminology didn’t last.
45
Comment and Contributions BLP was really the first major modeling work that
was available to the computer security community. It has provided food for thought to hundreds,
probably thousands of researchers, and is still the standard against which all security policy modeling work gets compared.
BLP still represents the military model of security. BLP still stands up to scrutiny, when assessed for
what it was written for.
46
Summary of BLP Model
Who developed it, where, when, for what reason?» D. Eliot Bell and Len LaPadula, at MITRE under contract with
the USAF, for the Multics operating system. Is it formal or informal? If formal, what formalism?
» It is formally stated in the language of mathematics What kind of model is it? (confidentiality, integrity,
hybrid, non-interference)» Confidentiality model, information flow.
What is the intended environment?» Military, classified and sensitive data.
What are the threats to address?» Disclosure
47
Summary of BLP Model
What are the security objectives ?» The protection of classified and sensitive data from internal or
external disclosure to an unauthorized party.
» Downgrading, object creation/deletion, changing the current access set, changing the access matrix are allowed and must be done in a manner consistent with the above.
» It does not address integrity, availability, auditing, I&A, management of security levels, etc.
What is the basic structure and what are the elements/components?» State machine model with subjects, objects, attributes, and
security levels, 4 state-holding components access control matrix, object hierarchy, access permission matrix, level function.
48
Summary of BLP Model
What are the fundamental issues/properties?» Simple security property: no read up.» ‘*’ Property: no write down.» Discretionary security property: have to pass SS and * first.» Tranquillity property (cannot change security level once
instantiated)» Compatibility (security level of child cannot dominate security
level of parent) How is it justified that the policy/model counters the
threats?» The Basic Security Theorem and 3 underlying theorems.» Rules were shown consistent with security properties by Bell
in 1976 (year after the model was released).
