Bell-LaPadula Model – read down/write up
description
Transcript of Bell-LaPadula Model – read down/write up
Bell-LaPadula Model – read down/write up Security levels arranged in linear ordering
Top Secret: highest Secret Confidential Unclassified: lowest
Levels consist of security clearance L(s) Objects have security classification L(o)
security level subject objectTop Secret Tamara Personnel FilesSecret Samuel E-Mail FilesConfidential Claire Activity LogsUnclassified Alice Telephone Lists
• Tamara can read all files• Claire cannot read Personnel or E-Mail Files• Alice can only read Telephone Lists
Reading Information Information flows up, not down
“Reads up” disallowed, “reads down” allowed
Simple Security Condition Subject s can read object o iff, L(o) ≤ L(s)
and s has permission to read o• Note: combines mandatory control (relationship of
security levels) and discretionary control (the required permission)
Sometimes called “no reads up” rule
Writing Information Information flows up, not down
“Writes up” allowed, “writes down” disallowed
*-Property Subject s can write object o iff L(s) ≤ L(o)
and s has permission to write o• Note: combines mandatory control (relationship of
security levels) and discretionary control (the required permission)
Sometimes called “no writes down” rule
Basic Security Theorem If a system is initially in a secure state,
and every transition of the system satisfies the simple security condition, and the *-property, then every state of the system is secure Proof: induct on the number of transitions
Biba integrity model (confidentiality model) Bell-La Padula model (read-down/write-up)
Biba (read-up/write-down) – dual of BLP model Subject cannot corrupt data in a higher level Subject cannot be corrupted by data with a
lower level1. s S can read o O iff i(s) ≤ i(o)2. s S can write to o O iff i(o) ≤ i(s)3. s1 S can execute s2 S iff i(s2) ≤ i(s1) i is integrity level
Motivation: Hurricane Katrina 2005 The Coast Guard was one of the worst off enders: FEMA
officials would later say the agency [Coast Guard] did almost nothing to keep other units up to speed on its activities [Garnett, Kouzmin 07]
Another of the tragedies of Katrina came when interorganizational networking failed to rise to the occasion. Federal agencies were too seldom on the same page -- even agencies within the same department,such as FEMA and the HSOC.
…, it also stemmed from differences in organizational culture and lack of trust that surfaced before Katrina had even formed.
Quantified risk adaptive access control The problem is about balancing risk vs. benefit
tradeoffs and existing access control policies Traditional models specify these tradeoffs statically
Goal: to be adaptive to the dynamic environments and the needs to which the policies are applied.
An organization continually optimizes access control based on risk vs. benefit tradeoffs Constraint: capping overall risk cannot be realized.
IBM paper: Fuzzy Multi–Level Security :An Experiment on Quantified Risk–Adaptive Access ControlPau–Chen Cheng et al. [IEEE Security&Privacy 07]
Intuition for fuzzy multi-level security Need to determining the probability of
unauthorized disclosure A precise determination is generally impossible since
that would require predicting future user behaviors. For example,
the probability should be very high when a person without security clearance is given access to top secret information,
but relatively low if the access is given to a person with top secret clearance.
The model also asks the user to claim the perceived benefits of access Self-claimed benefit value Need to have an audit system
Probabilistic model in fuzzy MLS Probability of unauthorized disclosure P = P1 + P2 −
P1P2
The Fuzzy MLS model considers P1 to be the probability that a human subject (a user) leaks the information by succumbing to temptation and P2 to be the probability of inadvertent disclosure, regardless of a subject’s intention. The model estimates P1 and P2 but they are no longer
binary. Thus, the Fuzzy MLS model quantifies the risk that is the
concern of the simple security property of the Bell–LaPadula model; this property states that a subject can not read up and is
meant to prevent unauthorized disclosure of information to human subjects.
Integrity policy: motivation In commercial environments, who examines
and certifies that the transactions are performed correctly?
When a company receives an invoice, the purchasing office requires 2 steps: Someone must have requested a service, and
determined the account that would pay for the service Someone must validate the invoice, the account must
be debited, the check is written and signed Need at least two different people perform the
transactions Separation of duty
Clark-Wilson model
Aimed at commercial rather than military applications, and closely models real commercial operations.
Proposed a set of rules To form a two-part integrity assurance facility
Certification is done by a security officer with respect to an integrity policy
Enforcement is done by the system
Entities constrained data items: CDI
Data subject to integrity controls unconstrained data items: UDI
Data not subject to integrity controls integrity verification procedures: TVP
Procedures that test the constrained data items conform to the integrity constraints
transaction procedures: TP Procedures that take the system from one valid state
to another
[Source: Stalling & Brown]
Certification Rules 1 and 2CR1 When any integrity verification procedure is run, it
must ensure all constrained data items are in a valid state
CR2 For some associated set of constrained data items, a transaction procedure (TP) must transform those constrained data items in a valid state into a (possibly different) valid state
Defines relation certified that associates a set of constrained data items with a particular transaction procedure
Example: transaction procedure balance, constrained data items accounts, in bank example
However, the system should specify the scope of a TP’s power. That’s next.
Enforcement Rules and User rulesER1 only transaction procedures certified to run on a
constrained data item manipulate that constrained data item.
ER2 associate a user with each transaction procedure and set of constrained data items
ER3 The system must authenticate each user attempting to execute a transaction procedure
E.g., a user certified to do stock investment is not allowed to mess up bank balance
Separation of Duty In Model
ER4 Only the certifier of a transaction procedure may change the list of entities associated with that transaction procedure.
No certifier of a transaction procedure may ever have execute permission with respect to that entity. Enforces separation of duty with respect to
certified and allowed relationsCR3 The allowed relations must meet the requirements
imposed by the principle of separation of duty.
LoggingCR4 All transaction procedures must
append enough information to reconstruct the operation to an append-only constrained data item.
Handling Untrusted InputCR5 Any TP that takes an unconstrained data item (UDI)
as an input value must be certified to perform only valid transformations, or else no transformations, for any possible value of the UDI.
E.g., In bank, numbers entered at keyboard are unconstrained data items, so cannot be input to transaction procedures. transaction procedures must validate numbers
(to make them a constrained data item) before using them;
if validation fails, transaction procedure rejects unconstrained data item
If you claim you deposit $1million, the bank needs to validate that claim
Key Points Confidentiality models restrict flow of information Bell-LaPadula models multilevel security
Cornerstone of much work in computer security BLP model is generally believed to be very
restrictive Integrity policies deal with trust
As trust is hard to quantify, these policies are hard to evaluate completely
Look for assumptions and trusted users to find possible weak points in their implementation
Clark-Wilson focuses on separation of duty and transactions