Formal Model for Computer Security

7/27/2019 Formal Model for Computer Security

1/32

F o r m a l M o d e l s f o r C o m p u t e r S e c u r i t yCARL E LANDWEHRCode 7593, Naval Research Laboratory, Washington, D C. 20375

Effo r t s to bu i ld "secu re" compu te r sys tems have now been unde rway fo r more than adecade . Ma ny des igns have been p roposed , some p ro to types h ave bee n cons t ruc ted , and afew sys tems a re app roach ing th e p roduc t ion s tage . A sma l l num ber o f sys tems a re eveno p e r a t in g i n w h a t t h e D e p a r t m e n t o f D e fe n s e c al ls t h e " m u l t i l e v e l" m o d e s o m ein fo rma t ion con ta ined m these co mpu te r sys tems m ay hav e a cla smf ica t ion h ighe r th anthe c lea rance o f some o f the u se rs o f those sys tems .

Th is pape r revmws the need fo r fo rma l secu r i ty mode ls , desc r ibes the s t ruc tu re andopera t ion o f mi l i t a ry secu r i ty con t ro l s, cons ide rs how au tom at ion has a f fec ted secu r ityp rob lems , su rveys mode ls tha t have be en p roposed and app l ied to da te, and sugges t spossib le d~rect lons for fu ture modelsKeywords and Phrases: secu r ity , compu te r , p ro tec t ion , ope ra t ing sys tem, da t a secu r i ty ,access contro l , access matr ix , capabil l tms, confident ia l i ty , pr ivacy, inform ation f low,securi ty c lasses , confinement , in tegmty, aggregat ion , samtlza t lon , ver if ica t ionCR Categories: 1.3, 3.53, 3.56, 4.0, 4.35, 8.1

INTRODUCTIONEfforts to build secure computer systemshave now been underway for more than adecade. Many designs have been proposed,some prototypes have been constructed,and a few systems are approaching the pro-duction stage. A small number of systemsin the De par tme nt of Defense (DoD) areeven operating in multilevel mode: someinformation in any of these systems mayhave a classification higher th an the clear-ance of some users.Nearly all of the projects to design orconstruct secure systems for processingclassified information have had a formalmathematical model for security as part ofthe top-level definition of the system. Themodel functions as a concise and precisedescription of the behavior desired of thesecurity-relevant portions of the system.These models have been influenced by theDoD regulations for processing classifieddata, by intuitive notions of security, by thestruc ture of existing comput er systems, andby the capabilities of program-verificationtechnology. They have not always beeninfluenced by, or have even recognized, the

ways in which security regulations are ap-plied in practice.It is the purpose of this paper to reviewthe need for formal security models, to de-scribe briefly the structure and operation ofmilitary securit y controls, to survey modelsthat have been proposed and applied todate, and to suggest possible directions forfuture models. All the models describedconcern access to information within a com-puter and the flow of information withina computer ; they are not concernedwith the areas described by the Dennings[DENN79b] of user authentication, infer-ence controls, or cryp tograph ic controls.Our descriptions, whenever possible,avoid formal notation. The purpose of thispape r is to make the basic concepts of eachmodel apparent, n ot to restate each modelin complete detail.1. WHY FORMAL MODELS?In order to build a secure system, designersmust first decide exactly what securemeans for their particular needs. In a pri-vate company, security may be related tothe nondisclosure of confidential account-

1981 AC M 001 0-48 92/8 1/09 00-0 247 $00 00 Computing Surveys, Vol 13, No 3, September 1981


2/32

248 C ar l E . Landw ehrCONTENTS

I N T R O D U C T I O N1 W H Y F O R M A L M O D E L S ~2. S T R U C T U R E O F M I L I T A R Y S E C U R I T Y3 . D Y N A M I C S O F M I L I T A R Y S E C U R I T Y4 . E F F E C T S O F A U T O M A T I O N

4 1 O l d P r o b l e m s A g g r a v a t e d4 2 N e w P r o b l e m s4 3 P o t e n t i a l B e n e f i t s

5. F O R M A L M O D E L S F O R C O M P U T E RS E C U R I T Y5 1 B a s i c C o n c e p t s a n d T r e n d s5 2 H i g h - W a t e r - M a r k M o d e l5 .3 A c c e s s M a t r i x M o d e l5 4 M o d e l s B a s e d o n A c c e s s M a t r i c e s5 5 B e l l a n d L a P a d u l a M o d e l5 6 I n f o r m a t i o n - F l o w M o d e l s5 7 E x t e n s i o n s a n d A p p h c a t l o n s o f t h e B e l l a n d

L a P a d u l a M o d e l5 8 P r o g r a m s a s C h a n n e l s f o r I n f o r m a t i o n T r a n s -

m i s s i o n6 DISCUS SION7 CONCLUSION

ACKNOWLEDGMENTSREFERENCES

ing data or t rade secrets , or to the enforce-me nt o f p r ivacy r egu la tions r egard ing per -sonal medical o r credi t records . I f nat ion alsecur i ty da ta a re invo lved , s ecur i ty be-comes the protect ion of c lass i f ied mater ia l ,a s de ta i l ed in var ious DoD ins t ruc tions andregulat ions . One might hope for these reg-ula t ions to be c lear -cut and di rect ly appl i -cab le to in fo rmat ion s to red in compute r s :no t so . Becau se m os t o f the r egu la t ionswere or ig inal ly cons t ructed for an environ-m e n t w h e r e i n f o r m a t i o n w a s r e c o r d e d o npaper and s to red in s afes , t hey h ave ha d tobe r ev i sed as the use and under s t and ing o fc o m p u t e r s w i th i n D o D h a v e i n c r e as e d .Al though the DoD regu la t ions can besaid to def ine the secur i ty required for sys-tems process ing c lass i f ied nat ional secur i tydata , thei r form is not very helpful to sys-tem des igners . Typical ly , regulat ions arewri t ten in Engl ish and are descr ip t ive( "sa feguards mus t pe rmi t accompl i shmentof miss ion funct ion s whi le af fording an ap-propr ia t e degree o f s ecur i ty" [OPN A79] )ra ther than p resc r ip t ive {" the sys tem sha l l

have the fol lowing des ign character is t ics : . . " ) .

The po in t he re i s no t tha t the r egu la t ionsa r e p o o r l y p h r a s e d - - i n d e e d , i t w o u l d b eunde s i rable for regulat ions to speci fy par -t ic u l ar a p p r o a c h e s w h e n m a n y o f t h e q u e s-t ions invo lved a re s t il l r esearch i s su es - -bu ttha t fo rmal mode l s o f s ecur i ty a re neededfor des ign . S ince the sys tem mus t no t on lybe secure , bu t mus t be demons t r ab ly so ,des igners need fo rmal s ecur i ty mode l s to beab le to conv ince o ther s o f the s ecur i ty o fthe sys tem. By cons t ruc t ing a fo rmal mod e lfo r s ecur i ty , demons t r a t ing tha t sys temsenforcing th is model are secure {accordingto the app l i cab le DoD regu la t ions , p r ivacylaws , o r company po l i cy) , and then dem-ons t r a t ing tha t the des ign to which theimplementa t ion cor responds enforces themodel , t he des igners can ma ke a conv incingargum ent tha t the sy s tem i s s ecure .T o d a t e , t h e n e e d f o r c o m p u t e r s e c u r i t yh a s b e e n m o r e a p p a r e n t i n m i l i ta r y t h a n i ncomm erc ia l app li ca tions; consequen t ly , themodel s d i s cus sed be low concern mi l i t a ryra ther than indus t r i a l s ecur i ty . As secur i tyc o n c e r n s b e c o m e m o r e i m p o r t a n t t o t h epr iva te s ec to r and to the nonmi l i t a ry par t so f the gov ernment , fo rmal mode l s appro-pr ia te to these appl icat ions wi l l a lso beneeded .2. STRUCTUR E OF MILITARY SECUR ITYBecause most of the models described be-low were cons t ruc ted w i th m i l i t a ry secur i t yin mind, i t wi ll be he lpful to rev iew br ief lysome of the majo r aspec t s o f mi l it a ry s e -cur i ty for r eader s unfami l i a r wi th them.The r equ i r ement fo r mi l i t a ry s ecur i tyar ises f rom the exis tence of inform at iont h a t, i f k n o w n b y a n e n e m y , m i g h t d a m a g ethe na t iona l s ecur i ty (by making de fensesmore eas i ly penet rable , for example) . Be-cause the re a re cos t s as soc ia ted wi th p ro -t ec t ing such in fo rmat ion , and because no tal l inform at ion is equa l ly sens i tive , d i f ferentsensi t ivi ty levels of informa t ion are d is tin-guished. The recognized sens i t iv i ty levels ,in increas ing order of ef fect on nat ionalsecuri ty, are unclassif ied, confidential , se-c re t , and top sec re t In fo rmat ion tha t hasbeen as s igned any o f the th ree l eve ls aboveunclassif ied is cal led classi f ied. T h e clas-

Co mp ut i ng Sur vey s , V ol 13, N o 3 , Sep tem ber 1981


3/32

Formalsificatmn of information takes into accountits sensitivity level and, in some cases, ad-ditional factors described below.Since the purpose of the classificationsystem is to prevent the uncontrolled dis-semination of sensitive information, mech-anisms are required to ensure that thoseindividuals allowed access to classified in-formation will not distribute it improperly.In the military security system, the grant-ing of a clearance to an individual indicatesthat certain formal procedures and inves-tigations have been carried out and thatthe individual is considered trustworthywith information classified up to a certainsensitivity level. Clearances for higherlevels of informati on correspond to greaterdegrees of trust and correspondingly re-quire more extensive background investi-gations. The discretionary power accordedindividuals of increasing clearance levels isenforced by explicit legal penalities for anyimproper handling of classified information.The smaller the number of people whoknow a secret, the easier it is to controlfur ther dissemination. In recognition of thisfact, and of the fact that few individualsneed to be aware of all the informationclassified at a given sensitivi ty level, a finergrain of classification has been created onthe basis of need-to-know. The generalprinciple is that classified informationshould not be entrusted to an individualunless he has both the clearance requiredfor it and some specific job-r elated need toknow that information. Although this prin-ciple applies to all classified information, insome cases information relating to specificsubject areas is formally designated as aseparate compartment of informa tion (e.g.,all information related to nuclear weaponsmight be in a compartment called NU-CLEAR). Com part ment designations are inaddition to the sensitivity level designa-tions; information might be designatedconfidential, NUC LE AR or secret, NU-CLEAR, for example. Compart ments mayoverlap, with some information designatedas being in two or more compartments. Aclassification or security level then consistsof both a sensitivity level and a {possiblyempty) set of compartments.Corresponding to these formally desig-nated need-to-know compar tments are ad-

Models for Computer Security 249ditional clearances that are used to controlthe compartments to which an individualmay have access. If information is desig-nated with multiple compartments, an in-dividual must be cleared for all of thembefore he can view tha t information.

In addition to compartments, there arerestrictions known as caveats placed onsome documents. Although these serve afunction quite similar to that of compart-ments, they are usually broader in scope.One caveat, for example, is the OriginatorControlled (ORCON) caveat, indicatingthat its originator must approve any furtherdissemination of the in formation. Ther e areno specific clearances that correspond tothe caveats; instead, specific properties ofindividuals (such as authorship or citizen-ship) are referred to.The dissemination of information of apart icu lar s ecur ity level {including sensitiv-ity level and a ny compart ment s or caveats)to individuals lacking the appropriat e clear-ances for that level is prohibited by law;these statutory restrictions are sometimesreferred to as mandatory access controls.In distributing information of a given se-curity level to those who possess the nec-essary clearances, a cleared individual mustexercise some discretion in determiningwhether the recipient has, in addition, aneed to know the information. These im-precise but important restrictions are re-ferred to as d~scretionary access controls.3. DYNAMICS OF MILITARY SECURITYThe structure described above is generallyadequa te to describe a static set of infor-mation recorded on paper. Each piece ofpaper can be appropriately classified andphysically protec ted {e.g., by storage in asafe). The dynamics of information han-dling under such a sy stem are more difficultto model than its static aspects. These in-clude such operations as creating a newpiece of classified info rmat ion {perhaps us-ing a collection of existing information),sanitizing information by removing the sen-sitive parts, declassifying information,copying information, and so on.Creation of new classified informationcan cause a number of problems, the firstof which is determining w het her new infor-mation should in fact be classified. In the

Com putin g Surveys, Vol 13, No 3, Septem ber 1981


4/32

250 Car l E . Land weh rc a s e o f a n e w d o c u m e n t r e l a t i n g t o a p r e -v ious ly c l a s si f ie d sys t e m o r t op i c o r t o us ingin fo rma t ion f rom c l a s s i f i e d sourc e s , i t w i l lu s u a ll y b e cl e a r t o th e a u t h o r t h a t t h e n e wdoc ume nt w i l l be c l a s s i f i e d a s w e l l . Ge ne r -a l l y , a doc ume n t c a n be v i e w e d a s a s e -q u e n c e o f p a r a g r a p h s , e a c h o f w h i c h i s a s-s igne d a c l a s s i f i c a t i on . Be c a use t he doc u-me n t a s a w ho le a l so ha s a c l a s s i f i c a t i on ,t h e d o c u m e n t i s i n t h i s s e n s e a mul t i leve lobject, t h a t i s , i t c a n c o n t a i n i n f o r m a t i o nc l a s si f i ed a t va r io us l e ve ls .T h e l e v e l o f c l a ss i f ic a t io n o f a d o c u m e n ta s a w ho le i s u sua l l y t ha t o f t he m os t c la s -s i f t e d i n f o r m a t i o n i t c o n t a i n s . I n s o m ec a ses , how e v e r , a c o l l e c t i on o f i n fo rma t ion ,e a c h c o m p o n e n t o f w h i c h is b y i t s el f u n -c lass i f ied (or c lass i f ied a t a low leve l ) mayy i e l d a m o r e h i g h l y c l a s s i f i e d d o c u m e n t .F o r e x a m p l e , a p i c t u r e o f t h e S t a t u e o fL i b e r t y a n d i ts c a p ti o n , " L o c a t i o n o f S e c r e tP a r t i c l e B e a m W e a p o n , " c o u l d , if s e p a -r a t e d , b o t h b e u n c l a s s i f i e d . T o g e t h e r , t h e ym i g h t b e t o p s e c r e t. T h e p r o b l e m o f d e t e c t -i ng w h e th e r suc h a c o l l e c t i on e x i s ts is ca l l e dt h e aggrega t ion prob lem. I f t h e n e w d o c u -m e n t i s c r e a t e d b y s a n i t i z i n g a n e x i s t i n go n e , t h e n e w d o c u m e n t m a y b e c l a ss i fi e d a ta lo w e r le v e l t h a n t h e o r ig i na l. D e t e r m i n a -t io n o f w h e n t h e i n f o r m a t i o n i n a d o c u m e n th a s b e e n s u f f i c ie n t l y " d e s e n s i t i z e d " i s c a ll e dt h e san i t iza t i on prob lem. P r o p e r i d e n t i f i -c a t i o n o f a g g r e g a t e d o r s a n i ti z e d i n f o r m a -t i o n is t h e o b l i g a t io n o f t h e d o c u m e n t c r e-a t o r , i n c o o p e r a t i o n w i t h h i s s e c u r i t y o f f i -c e r . I f a d o c u m e n t i s f o u n d t o h a v e b e e nm o r e h i g h l y c la s si f ie d t h a n r e q u i r e d , i t m a yb e d o w n g r a d e d (g ive n a l ow e r s e c u r i t yl e v el w i t h o u t c h a n g i n g i ts c o n t e n t s ) .A s l o n g a s t h e p r i n c i p a l s t o r a g e m e d i u mf o r t h e i n f o r m a t i o n i s p a p e r , a n d t h e p r i n -c ipa l t oo l s fo r c re a t i ng i t a re ma nua l ( e . g . ,pe ns , pe nc i l s , t ype w r i t e r s} , t he c on t ro l o ft h e s e o p e r a t i o n s i s n o t t o o d i f f i c u l t . W h e na doc ume n t i s no t i n a s a fe , i t i s i n t hec u s t o d y o f s o m e i n d i v i d u a l t r u s t e d n o t t od i s t ri b u t e i t i m p r o p e r l y . A d r a f t d o c u m e n tw i t h a n a s - y e t - u n d e t e r m i n e d c l a s s i f i c a t i o nc a n b e p r o t e c t e d b y s t o r i n g i t i n a sa f e a n dne i the r de c l a r ing a spe c i f i c c l a s s i f i c a t i onn o r e n t e r i n g i t i n t o t h e f o r m a l s y s t e m f o rc o n t r o l o f c l as s if i ed d o c u m e n t s . T h e t o o l su s e d to c r e a t e a n d m o d i f y d o c u m e n t s a r es i m p l e a n d g e n e r a l l y p a s s i v e ; t h e y c a n n o t

e a s il y a l te r a c l as s if i ed d o c u m e n t o r b e t r a yi t s c o n t e n t s t o a n u n a u t h o r i z e d p e r s o nw i t h o u t t h e k n o w i n g c o o p e r a t i o n o f t h e t o o luse r .

4 . EFFECTS OF AUTOMA TIONT h e u s e o f c o m p u t e r s t o s t o r e a n d m o d i f yi n f o r m a t i o n c a n s i m p l i f y t h e c o m p o s i t i o n ,e d i ti n g , d i s t ri b u t i o n , a n d r e a d i n g o f m e s -s a g e s a n d d o c u m e n t s . T h e s e b e n e f i t s a r en o t f r e e , h o w e v e r . P a r t o f t h e c o s t is t h ea g g r a v a t io n o f s o m e o f t h e s e c u r i t y p r o b -l e m s j u s t d i s c u ss e d a n d t h e i n t r o d u c t i o n o fs o m e n e w p r o b l e m s a s w el l. M o s t o f t h ed i f f i c u l t i e s a r i s e p re c i se ly be c a use a c om-p u t e r s h a r e d b y s e v e r a l u s e r s c a n n o t b ev i e w e d a s a p as s i v e o b j e c t i n t h e s a m e s e n s eth a t a s a fe o r a pe nc i l i s pa s s ive .F o r e x a m p l e , c o n s i d e r a c o m p u t e r p r o -g r a m t h a t d i sp l ay s p o r t io n s o f a d o c u m e n to n a t e rm i n a l . T h e u s e r o f s u c h a p r o g r a mis ve ry l i ke ly no t i t s a u thor . I t is , i n ge ne ra l ,p o s s i b l e f o r t h e a u t h o r t o h a v e w r i t t e n t h ep r o g r a m s o t h a t i t m a k e s a c o p y o f t h ed i s p l a y e d i n f o r m a t i o n a c c e s s i b l e t o h i m s e l f( o r a t h i r d p a r t y ) w i t h o u t t h e p e r m i s s i o n o rk n o w l e d g e o f t h e u s e r w h o r e q u e s t e d t h ee x e c u t i o n o f t h e p r o g r a m . I f t h e a u t h o r isn o t c l e a r e d t o v i e w t h i s i n f o r m a t i o n , s e c u -r i t y h a s b e e n v i o l a t e d .S i m i l a r l y , r e c o r d i n g t h e s e c u r i t y l e v e l o fa d o c u m e n t - - a s t r a i g h t f o r w a r d t a s k i n am a n u a l s y s t e m - - c a n b e a c o m p l e x o p e r a -t i o n f o r a d o c u m e n t s t o r e d i n a c o m p u t e r .I t m a y r e q u i r e c o o p e r a t i o n a m o n g s e v e r a lp rogra ms (e . g . , t e rmina l ha nd le r , l i ne e d i -t o r , fi le s y s t e m , d i sk h a n d l e r ) w r i t t e n b yd i f f e r e n t i n d i v i d u a l s i n d i f f e r e n t p r o g r a m -m i n g l a n g u a g e s u s i n g d i f f e r e n t c o m p i l e r s . I ti s m u c h m o r e d i f f i cu l t t o e s t a b l i s h t h a t t h ec o m p u t e r p r o g r a m ( s ) f o r r e c o r d i n g a cl as -s i f i c a t i o n b e h a v e s i n a c c o r d a n c e w i t h i t su s e r ' s w i s h e s t h a n i t i s t o e s t a b l i s h t h e s a m ec r i t e r i o n fo r a pe n o r a pe nc il .I n f o r m a t i o n c o n t a i n e d i n a n a u t o m a t e ds y s t e m m u s t b e p r o t e c t e d f r o m t h r e e k i n d so f t h re a t s : (1) t he unauthor i zed d isc losureo f in f o r m a t i o n , (2 ) t h e u n a u t h o r i z e d m o d -iftcation o f i n f o r m a t i o n , a n d (3 ) t h e unau-thor t z ed w i thho ld ing o f i n f o r m a t i o n ( u su -a l l y c a l l e d den ial o f service . E a c h o f t h ep r o b l e m s d i s c u s s e d b e l o w r e f l e c t s o n e o rm o r e o f t h e s e d a n g e r s .

Computmg Surveys, Vol 13, No 3, September 1981


5/32

Fo rm al M odels for Computer S ecurity 2514.1 Old Problems Agg ravated4 1 1 A g g r e g a b o nT h e a g g r e g a t i o n p r o b l e m e x i s t s i n a c o m -p u t e r - b a s e d s y s t e m j u s t a s i t d o e s i n am a n u a l o n e . F o r m i n g a g g r e g a t e o b j e c t sm a y b e e a s i e r , t h o u g h , b e c a u s e u s e r s m a yb e a b l e t o s e a r c h m a n y d o c u m e n t s m o r eq u i c k l y a n d c o r r e l a t e t h e i n f o r m a t i o n i nt h e m m o r e e a si ly t h a n c o u ld b e d o n e m a n -u a l l y . D a t a b a s e m a n a g e m e n t s y s t e m s t h a ti n c l u d e n u m e r o u s f il es o f i n f o r m a t i o n i n-d e x e d i n s e v e r a l d i f f e r e n t w a y s a n d t h a tc a n r e s p o n d t o u s e r q u e r i e s h a v e n o d i r e c ta n a l o g in t h e w o r l d o f d o c u m e n t s a n d s a fe s .T h e r e s p o n s e t o a s i n g l e q u e r y c a n a g g r e -g a t e i n f o r m a t i o n f r o m a w i d e v a r i e t y o fs o u r c e s i n w a y s t h a t w o u l d b e i n f e as i b le i na m a n u a l s y s t e m . A c l o s el y r e l a t e d p r o b l e mis t he inference problem. S t u d i e s h a v es h o w n t h a t d a t a b a s e s y s t e m s , i f t h e y p r o -v i d e a l m o s t a n y s t a t i s t i c a l i n f o r m a t i o n(suc h a s c oun t s o f r e c o rds , a ve r a ge va lue s )b e y o n d t h e r a w d a t a v a l u e s s t o r e d , a r e r e l -a t i v e l y e a s y t o c o m p r o m i s e [ D E M I 7 7 ,DENN79a, DENN79b, DOBK79, SCHW79].B y c a r e f u l l y c o n s t r u c t i n g q u e r i e s a n d u s i n go n l y s m a l l a m o u n t s o f o u t s i d e i n f o r m a t i o n ,a u s e r c a n o f t e n i n f e r t h e v a l u e s o f d a t a h ei s u n a u t h o r i z e d t o o b t a i n d i r e c t l y .4 1 2 A u t h e n b c a t lo nI n t h e m a n u a l s y s t e m , k e y s a n d s a f e c o m -b i n a ti o n s a r e e n t r u s t e d t o h u m a n s b y o t h e rhuma ns ; i t i s no t ge ne ra l l y d i f f i c u l t t o r e c -o g n i ze t h e t r u s t e d i n d iv i d u a l. A p e r s o no p e n i n g a s a f e a n d e x a m i n i n g i t s c o n t e n t si s l i k e ly to b e o b s e r v e d b y o t h e r p e o p l e w h ow il l k n o w w h e t h e r t h a t p e r s o n is a u t h o r i z e dt o d o s o. F u r t h e r , a n i n d i v i d u a l w i t h a c c e s sto a s a fe mus t ha ve a c l e a ra nc e su f f i c i e n tf o r h i m t o s e e e v e r y d o c u m e n t s t o r e d i n t h es a fe w i t h o u t v i o l a t i n g s e c u r i ty . I n d i v i d u a l sw i t h d i f f e r e n t c l e a r a n c e l e v e l s m a y h a v ea c c e s s t o t h e c o m p u t e r s y s t e m , a n d s o t h es y s t e m m u s t b e a b l e t o d i s t i n g u i s h a m o n gi t s u s e r s a n d r e s t r i c t i n f o r m a t i o n a c c e s s t oq u a l i f i e d u s e r s . S i n c e t h e c o m p u t e r w i l lh a v e a c c e s s t o a l l t h e i n f o r m a t i o n i t s t o r e sa n d s i n c e i t m u s t p r o v i d e a c c e s s t o t h o s ed o c u m e n t s o n l y t o a u t h o r i z e d i n d i v i d u a l s ,t h e authentication problem i s a ggra va t e d :

t h e c o m p u t e r s y s t e m m u s t h a v e a r e l i a b l ew a y o f d e t e r m i n i n g w i t h w h o m i t is co n -vers ing .4 1 3 B r o w s i n gC o m p u t e r s g e n e r a l l y m a i n t a i n d i r e c t o r i e sfo r f i l e s t o f a c i l i t a t e s e a rc h ing l a rge bod ie so f i n f o r m a t i o n r a p i d l y : r a r e l y i s t h e r e as i m i la r c a t a l o g o f a ll t h e i n f o r m a t i o n c o n -t a ine d i n e ve n a s i ng l e s a fe . U n le s s a c om-p u t e r s y s t e m i m p l e m e n t s s t r i c t n e e d - t o -k n o w a c c e s s c o n t r o l s , i t m a y b e p o s s i b le f o ra u s e r t o e x a m i n e s e c r e t l y a l l d o c u m e n t ss t o r e d i n t h e s y s t e m a t o r b e l o w h i s c l e a r -a nc e l e ve l ( t h i s i s c a l l e d t he browsingprob-lem . B r o w s i n g t h r o u g h a l l t h e d o c u m e n t sin a s a fe w ou ld be a muc h more d i f f i c u l ta c t i v i t y t o c onc e a l .4 1 4 I n t e g r i t yU n d e t e c t e d m o d i f i c a ti o n o f i n f o r m a t i o n i sm u c h e a s i e r to a c c o m p l i s h i f t h e i n f o r m a -t i o n i s s t o r e d o n e l e c t r o n i c m e d i a t h a n i f i ti s s t o r e d o n p a p e r , b o t h b e c a u s e c h a n g e sa r e h a r d e r t o d e t e c t a n d b e c a u s e t h e r e i so f t e n o n l y a si n gl e c o p y o f t h e i n f o r m a t i o nt h a t n e e d b e a l t e r e d . P r o t e c t i n g i n f o r m a -t i o n a g a i n s t u n a u t h o r i z e d m o d i f i c a t i o n i sc a l l e d t he m tegrtty problem.4 1 5 C o p y m gA l t h o u g h p a p e r d o c u m e n t s m a y b e c o p i e dw i t h o u t a l t e r i n g t h e o r i g i n a l , m a k i n g s u c ha c o p y e n t a i l s r e m o v i n g t h e o r i g i n a l f r o mt h e s af e. U n d e t e c t e d c o p y i n g o f f il es w i t h i nm o s t c o m p u t e r s y s t e m s p r e s e n t s n o s im i l arb a r r i e r a n d u s u a ll y c a n b e d o n e m u c h m o r era p id ly .4.1 6 Dental of ServtceI n t h e m a n u a l s y s t em , t h e c o m b i n a t i o n f o ra s af e o r a c i p h e r l o c k m a y b e f o r g o t t e n o rm i s p l a c e d , o r th e l o c k m a y m a l f u n c t i o n . I ne i t h e r c a s e t h e l e g i t i m a t e u s e r s o f t h e i n f o r -m a t i o n i n t h e s a f e m a y b e d e n i e d a c c e s s t oi t f o r a t i m e . S u c h o c c u r r e n c e s , h o w e v e r ,a r e r a r e . D e n i a l o f s e r v i ce is a m u c h m o r en o t o r i o u s c h a r a c t e r i s t i c o f c o m p u t e r s y s-t e m s , w h i c h c a n b e v u l n e r a b l e t o p o w e ro u t a g e s ( o r e v e n f l u c t u a t i o n s ) a n d t o h a r d -w a r e a n d s o f t w a r e p r o b le m s .

Computmg Surveys, Vol 13, No 3, September 1981


6/32

252 Car l E . Landw ehr4 .2 New Prob lems4 . 2 . 1 C o n h n e m e n tS t o r a g e o f i n f o r m a t i o n i n a c o m p u t e r c a na l so c a u s e n e w k i n d s o f s e c u r i t y p r o b l e m s .I n a c o m p u t e r s y s t e m , p r o g r a m s a r e e x e -c u t e d b y t h e a c t i v e e n t i t i e s i n t h e s y s t e m ,usua l ly c a l l e d processes o r j obs . G e n e r a l l y ,e a c h p roc e ss i s a s soc i a t e d w i th a use r , a ndp r o g r a m s a r e e x e c u t e d b y t h e p r o c e s s i nr e s p o n s e t o t h e u s e r ' s r e q u e s t s . A p r o g r a mt h a t a c c e s s e s s o m e c l a ss i fi e d d a t a o n b e h a l fo f a p r o c e s s m a y l e a k t h o s e d a t a t o o t h e rp r o c e s s e s o r f il es ( a n d t h u s t o o t h e r u s e r s ) .T h e p r e v e n t i o n o f s u c h l e a k a g e i s c al le d t h econ f inemen t prob l em [LA MP73] . La mpsoni d e n ti f i es t h r e e k i n d s o f c h a n n e l s t h a t c a nb e u s e d t o l e a k i n f o r m a t i o n . Leg i t ima techannels a r e t h o s e t h a t t h e p r o g r a m u s e st o c o n v e y th e r e s u lt s o f it s c o m p u t a t i o n( e . g . , t h e p r i n t e d o u t p u t f r o m t h e p r o g r a mor a b il l fo r t he se rv i c e s o f t he p rog ra m ) . I ti s poss ib l e , fo r e xa mple , by va ry ing l i nes p a c i n g , t o h i d e a d d i t i o n a l i n f o r m a t i o n i nt h e s e c h a n n e l s . Storage channels a r e t h o s et h a t u t i l i z e s y s t e m s t o r a g e s u c h a s t e m p o -r a r y f r i e s o r s h a r e d v a r i a b l e s ( o t h e r t h a nt h e l e g i t i m a t e c h a n n e l s ) t o p a s s i n f o r m a -t i o n t o a n o t h e r p r o c e s s . Covert channelsa r e p a t h s n o t n o r m a l l y i n t e n d e d f o r i n fo r -m a t i o n t r a n s f e r a t a l l , b u t w h i c h c o u l d b eu s e d t o s i g n a l s o m e i n f o r m a t i o n . F o r e x -a m p l e , a p r o g r a m m i g h t v a r y i ts p a g i n g r a t ei n r e s p o n s e t o s o m e s e n s i t i v e d a t a i t o b -s e r v e s . A n o t h e r p r o c e s s m a y o b s e r v e t h ev a r i a t i o n s i n p a g i n g r a t e a n d " d e c i p h e r "t h e m t o r e v e a l t h e s e n s i t i v e d a t a . B e c a u s et h e y g e n e r a l l y d e p e n d o n t h e o b s e r v a t i o no f b e h a v i o r o v e r t im e , c o v e r t c h a n n e l s a r ea ls o r e f e r r e d t o a s t imin g channels .4 2 .2 T r o l a n H o r s e s a n d T r a p d o o r sA p r o g r a m t h a t m a s q u e r a d e s a s a u s e f u ls e r v i c e b u t s u r r e p t i t i o u s l y l e a k s d a t a i sca l led a Tro jan horse 2. A t rapdo or is al A l t h o u g h t h e s e t e r m s h a d b e e n i n u s e fo r s o m e t i m e ,L a m p s o n w a s a p p a r e n t l y t h e f i r s t t o i n t r o d u c e t h i sn o m e n c l a t u r e f o r k i n d s o f l e a k a g e c h a n n e l s i n t o t h eo p e n l i t e r a t u r e . W e w i l l e m p l o y h i s d e f i m t i o n s , u s i n g" t i m i n g c h a n n e l " i n p la c e o f " c o v e r t c h a n n e l . " T h er e a d e r m c a u t i o n e d t h a t u s a g e i n t h e l i t e r a t u r e i s n o tu n i f o r m .2 T h i s t e r m w a s i n t r o d u c e d b y D a n E d w a r d s mANDE72.

h i d d e n p i ec e o f c o d e t h a t r e s p o n d s t o aspe c i a l i npu t , a l l ow ing i t s u se r a c c e s s t or e s o u r c e s w i t h o u t p a s si n g t h r o u g h t h e n o r -m a l s e c u r i ty e n f o r c e m e n t m e c h a n i s m . F o re x a m p l e , a t r a p d o o r i n a p a s s w o r d c h e c k i n gr o u t i n e m i g h t b y p a s s i t s c h e c k s i f c a l le d b ya use r w i th a spe c if i c i de n t i f i c a t i on num be r .4 . 2 . 3 O t h e r T h r e a tsA n o t h e r c la ss o f t h r e a t s i n t r o d u c e d b y a u -t o m a t i o n i s r e l a t e d t o t h e e l e c t r i c a l c h a r -a c t e r i s ti c s o f c o m p u t e r s . W i r e t a p p i n g a n dm o n i t o r i n g o f e l e c t r o m a g n e t i c r a d i a t i o ng e n e r a t e d b y c o m p u t e r s f a ll i n t o t h i s c la ss .T h e f o r m a l m o d e l s d e s c r ib e d b e lo w d o n o ta d d r e s s t h i s c la s s o f t h r e a t s , n o r d o t h e yc o v e r p r o b l e m s o f a u t h e n t ic a t i o n , i n fe r -e nc e , o r de n i a l o f s e rv i c e .4 .3 Poten t ia l Ben ef itsI n c o m p e n s a t i o n f o r th e a d d e d c o m p l e x it i esa u t o m a t i o n b r i n g s t o s e c u r i t y , a n a u t o -m a t e d s y s t e m c an , i f p r o p e r l y c o n s t r u c t e d ,b e s t o w a n u m b e r o f b e n e f i t s a s w e ll . F o re x a m p l e , a c o m p u t e r s y s t e m c a n p l a c es t r i c t e r l i m i t s o n u s e r d i s c r e t i o n . I n t h ep a p e r s y s t e m , t h e p o s s es s o r o f a d o c u m e n th a s c o m p l e t e d i s c r e t i o n o v e r i t s f u r t h e r d is -t r i b u t i o n . A n a u t o m a t e d s y s t e m t h a t e n -f o r ce s n e e d - t o - k n o w c o n s t r a i n ts s t r ic t l y c a np r e v e n t t h e r e c i p i e n t o f a m e s s a g e o r d o c -u m e n t f r o m p a s s i n g it t o o th e r s . O f co u r s e ,t h e r e c i p i e n t c a n a l w a y s c o p y t h e i n f o r m a -t io n b y h a n d o r r e p e a t i t v e rb a l ly , b u t t h eina b i l i t y t o pa s s i t on d i re c t l y is a s i gn i f i c a n tba r r i e r .

T h e s a n i ti z a ti o n o f d o c u m e n t s c a n b es im p l if ie d in a n a u t o m a t e d s y s t em . R e m o v -ing a l l u se s o f a pa r t i c u l a r w ord o r ph ra se ,f o r e x a m p l e , c a n b e d o n e m o r e q u i c k l y a n dw i t h f e w e r e r r o r s b y a c o m p u t e r t h a n b y ap e r s o n ( p r e s u m i n g , o f c o u r s e , t h a t t h e e d -i t in g p r o g r a m s w o r k c o r r e c t ly ) . A l t h o u g hi t i s d o u b t f u l w h e t h e r a c o m p l e t e l y g e n e r a ls a n i t i z a t i o n p r o g r a m i s f e a s i b l e , a u t o m a t e dt e c h n i q u e s f o r s a n i t i z i n g h i g h l y f o r m a t t e di n f o r m a t i o n s h o u l d b e a v a i l a b l e i n a f e wye a rs .A u t o m a t e d s y t e m s c a n a p p l y a f i n e rg r a i n o f p r o t e c t i o n . I n s t e a d o f r e q u i r i n gt h a t a n e n t i r e d o c u m e n t b e c la s si f ie d a t t h el e v e l o f t h e m o s t s e n s i ti v e i n f o r m a t i o n i tc o n t a i n s , a c o m p u t e r - b a s e d s y s t e m c a nm a i n t a i n t h e d o c u m e n t a s a m u l t i l e v e l o b -Com puting Surveys, Vol 13, No 3, Septem ber 1981


7/32

Fo rm a l M o de l s f o r C o m p u t e r Secu r i ty 253j e c t, e n f o r c in g t h e a p p r o p r i a t e c o n t r o l s o ne a c h s u b s e c t i o n . T h e a g g r e g a t i o n a n d s a n -i t iz a t i o n p r o b l e m s r e m a i n ; n e v e r t h e l e s s , t h eo p p o r t u n i t y e x i s t s f o r m o r e f l e x i b l e a c c e s sc on t ro l s .A n a u t o m a t e d s y s t e m c a n a ls o o f f er n e wk i n d s o f a c c e ss c o n t r o l . P e r m i s s i o n t o e x e -c u t e c e r t a i n p r o g r a m s c a n b e g r a n t e d o rd e n i e d s o t h a t s p e c i f i c o p e r a t i o n s c a n b er e s t r i c t e d t o d e s i g n a t e d u s e r s . C o n t r o l s c a nb e d e s i g n e d s o t h a t s o m e u s e r s c a n e x e c u t ea p r o g r a m b u t c a n n o t r e a d o r m o d i f y i td i r e c t l y . P r o g r a m s p r o t e c t e d i n t h i s w a ym i g h t b e a l l o w e d t o a c c e s s i n f o r m a t i o n n o td i re c t l y a va i l a b l e t o t he use r , s a n i t i z e i t ,a n d p a s s t h e r e s u l t s b a c k t o t h e u s e r . N a t -u r a l l y , g r e a t c a r e w o u l d b e n e e d e d i n t h ec o n s t r u c t i o n o f s u c h a s a n i t iz a t i o n p r o g r a ma n d t h e c o n t r o l s p r o t e c t i n g i t .A l t h o u g h t h e s e b e n e f i t s a r e w i t h i n r e a c ho f c u r r e n t t e c h n o l o g y , t h e y h a v e b e e n d if -f i c u l t t o r e a l i z e i n p ra c t i c e . Se c ur i t y i s ar e l at i v e , n o t a n a b s o l u t e , c o n c e p t , a n d g a in si n s e c u r i t y o f t e n c o m e o n l y w i t h p e n a l t i e si n p e r f o r m a n c e . T o d a t e , m o s t s y s t e m s d e -s i g n e d t o i n c l u d e s e c u r i t y i n t h e o p e r a t i n gs y s t e m s t r u c t u r e h a v e e x h i b i te d e i t h e r s lo wr e s p o n s e t i m e s o r a w k w a r d u s e r i n t e r -f a c e s - - o r b o t h .5. FORMAL MODELS FOR COMP UTER

SECURITYT h e f o r m a l s t r u c t u r e s d e s c r i b e d b el o w c a nb e u s e d t o m o d e l t h e m i l i t a r y s e c u r i t y e n -v i r o n m e n t . T h e s e s a m e s t r u c t u r e s c a n a ls ob e u s e d a s t h e b a s i s f o r s p e c i f y in g p r o g r a m st h a t c a u s e a c o m p u t e r t o s i m u l a t e t h e s e -c u r i t y c o n t r o l s o f t h e m i l i t a r y e n v i r o n m e n t .B e c a u s e i t i s d i f fi c u lt t o c a p t u r e t h e c o m -p le x i t i e s o f t he re a l w or ld i n a fo rm a l s t ruc -t u r e , e a c h m o d e l d e v i a t e s f r o m r e a l i t y i ns o m e r e s p e c t s . G e n e r a l l y , t h e m o d e l s e n -f o r c e c o n t r o l s t h a t a r e m o r e r i g i d t h a n t h ec o n t r o l s i n t h e a c t u a l e n v i r o n m e n t ; a n yc o m p u t e r o p e r a t io n s t h a t o b e y t h e s tr u c -t u r e s o f t h e m o d e l w i ll b e s e c u r e a c c o r d i n gt o t h e c o n v e n t i o n a l d e f i n i t i o n s , a n d s o m eo p e r a t i o n s d i s a l l o w e d b y t h e m o d e l w o u l dn e v e r t h e l e s s b e c o n s i d e r e d s e c u r e o u t s i d et h e f o r m a l m o d e l . A l t h o u g h t h i s i s t h e" s a f e " s id e o n w h i c h t o e r r , u s e o f o v e r l yr e s t r i c t i v e m o d e l s t o i m p r o v e t h e s e c u r i t yo f a s y s t e m c a n l e a d t o s y s t e m s t h a t a r e

u n a c c e p t a b l e t o t h e i r i n t e n d e d u s e r s[WILS79] .T h e m o d e l s p r e s e n t e d i n t h i s s e c t i o n a r ed i v e r s e i n s e v e r a l w a y s : t h e y h a v e b e e nd e v e l o p e d a t d i f f e r e n t t im e s , t h e y t r e a t t h ep r o b l e m f r o m d i f f e r e n t p e r s p e c t i v e s , a n dt h e y p r o v i d e d i f f e r e n t l e v e l s o f d e t a i l i nt h e i r s p e c i f i c a t i o n s . W e h a v e t r i e d t o c o n -s i d er b o t h c h r o n o l o g y a n d f o r m a l s i m i l ar i t yi n o r g a n i z i n g o u r p r e s e n t a t i o n . S i n c em o d e l s w i t h d i f f e r e n t f o r m a l b a s e s s o m e -t i m e s i n f l u e n c e e a c h o t h e r o v e r t i m e , i t i sh a r d t o p r o v i d e a n o r d e r i n g t h a t b o t h r e -s p e c t s f o r m a l s i m i l a r i t y a n d a v o i d s f o r w a r dr e f e r e n c e s . C o n s e q u e n t l y , w e i n c l u d e a b r i e fd i s c u ss i o n o f s o m e u s e f u l c o n c e p t s a n d h is -t o r i c al t r e n d s b e f o r e p r e s e n t i n g t h e i n d iv i d -ua l mode l s .5.1 Basic Con cepts and TrendsT h e f i n i t e -s ta t e machine model f o r c o m -p u t a t i o n v i e w s a c o m p u t e r s y s t e m a s a f i -n i t e s e t o f s t a te s , t o g e t h e r w i t h a t r a n s i t i o nf u n c t i o n t o d e t e r m i n e w h a t t h e n e x t s t a t ew i l l b e , b a s e d o n t h e c u r r e n t s t a t e a n d t h ec u r r e n t v a l u e o f t h e input . T h e t r a n s i t i o nf u n c t i o n m a y a l s o d e t e r m i n e a n o u t p u tv a l u e . T r a n s i t i o n s a r e v i e w e d a s o c c u r r i n gi n s t a n t a n e o u s l y i n t h i s m o d e l ; t h e r e f o r ec e r t a i n p o t e n t i a l i n f o r m a t i o n c h a n n e l s ( e.g .,t h o s e r e l a t e d t o o b s e r v i n g t h e t i m e s p e n t i na c e r t a i n s t a t e ) i n r e a l s y s t e m s t e n d t o b eh i d d e n b y i t . D i f f e r e n t s e c u r i t y m o d e l s a p -p l y d i f f e r e n t i n t e r p r e t a t i o n s o f t h i s g e n e r a lm o d e l , b u t t h i s s t r u c t u r e is t h e b a s is f o r al lo f t h o s e s u r v e y e d b e l o w .T h e l a t t i ce model fo r s e c u r i t y l e ve l s i sw i d e l y u s e d t o d e s c r i b e t h e s t r u c t u r e o fmi l i t a ry se c u r i t y l e ve l s . A l a t t i c e i s a f i n i t es e t t o g e t h e r w i t h a p a r t i a l o r d e r i n g o n i t se l e m e n t s s u c h t h a t f o r e v e r y p a i r o f el e-m e n t s t h e r e i s a l e a s t u p p e r b o u n d a n d ag r e a t e s t lo w e r b o u n d [ B m K 7 0 ] . T h e s i m p lel i ne a r o rde r ing o f s e ns i t i v i t y l e ve l s ha s a l -r e a d y b e e n d e f i n e d . C o m p a r t m e n t s e t s c a nb e p a r t i a l l y o r d e r e d b y t h e s u b s e t r e l a t i o n :o n e c o m p a r t m e n t s e t i s g r e a t e r t h a n o re q u a l t o a n o t h e r i f t h e l a t t e r s e t is a s u b s e to f t he fo rm e r . C la s s i f ic a t i ons, w h ic h i nc ludea se ns i t i v i t y l e ve l a nd a (pe rha ps e mpty}c o m p a r t m e n t s e t , c a n t h e n b e p a r t i a l l y o r -de r e d a s fo l low s : fo r a n y s e ns i t i v i t y l e ve l s aa n d b a n d a n y c o m p a r t m e n t s e ts c a n d d

(a, c) _> (b, d)Computing Surveys, Vol 13, No 3, September 1981


8/32

254 Car l E . Landw ehrif and only if a _> b and c _ d. Th at eachpair of classifications has a greatest lowerbound and a least upper bound follows fromthese definitions and the facts tha t the clas-sification unclassified, no compar tmentsis a global lower bound and that we canpostu late a classification top secret, allcompar tments as a global upper bound.Because the lattice model matches the mil-ita ry classification structure so closely, it iswidely used. The h igh -wa te r -mark model[WEIS69], one of the earliest formal models,includes a lattice of security levels, thoughit is not identified as such.The access matr ix model , described indetail below, was developed in the early1970s as a generalized description of oper-ating system protection mechanisms. Itmodels controls on users' access to infor-mation without regard to the semantics ofthe information in question. A referencem o n i t o r checks the validity of users' ac-cesses to objects. Models based on accessmatrices continue to be of interest becauseof their generality; recent examples includestudies of t a k e - g r a n t models [BISH79] andthe model of data security used by Popek[POPE78a].When classified information is involved,the semantics of the information must beconsidered: the classification of the infor-mation and the clearance of the user mustbe known before access can be granted. Forthis purpose, models based on the accessmatrix have been extended to include clas-sifications, clearances, and rules concerningthe classifications. The best known suchmodel is the B e l l a n d L a P a d u l a m o d e l[BELL73a], which may be summarized intwo axioms:(a) No user may read information classi-fied above his clearance level ( No readup );(b) No user may lower the classification ofinformation ( No write down ).The full statement of the model includesseveral more axioms and is quite complex.In the early 1970s, Roger Schell con-ceived an approach to computer securitybased on defining a small subset of a systemthat would be responsible for its securityand assuring tha t this subset would monitorall accesses (i.e., it would provide comple tevalidation of program references), that it

would be correct, and that it would beisolated (so that its behavior could not betampered with). This mechanism would becalled a securi ty kern el [ANDE72, SCHE73].Similar considerations motivated the workof Price and Parnas [PRIC73, PARN74] onvirtual mem ory mechanisms for protection.The Bell and LaP adul a model grew out ofwork on the security kernel concept.This idea fit well with the notions ofoperating system kernels and layered ab-stract machines tha t were being circulatedwidely at that time. The security kernelwould be the innermost layer of the systemand would implement all of the security-relevant operations in the system; for theaccess-matrix model, the kernel would im-plement the functions of the reference mon-itor. Because the security kernel would beof minimal size and functionality, it wouldbe feasible to examine it closely for flawsand perhaps even to verify its correctness(or at least its securi ty properties} formally.In practice, it has been difficult to identi fyand isolate all of the security-relevant func-tions of a general-purpose operating systemwithout creating a fairly large, fairly slowkernel.In forma t i on - f l ow mode l s , based partlyon work by Fenton [FENT74], and first in-troduced by Denning [DENN75], recognizeand exploit the lattice structure of securitylevels. Instead of requiring a list of axiomsgoverning users' accesses, an information-flow model simply requires that all infor-mation transfers obey the flow relationamong the security classes. The informa-tion-flow properties of each s tat ement typein a programming language can be defined,and proofs can be developed about theflows caused by executing a particular pro-gram. By focusing on the flow of informa-tion instead of on individual accesses toobjects, the models achieve an elegancelacking in the Bell and LaPadula model.Because of continuing DoD interest,work on developing and applying the Belland LaPadula model has continued. Theoriginal model dealt only with the unau-thorized disclosure of data, but an extensionof it by Biba [BIBA77] added the conceptof integri ty to deal with the unauthorizedmodification of data. Th e model was refor-mulated for use with automated tools forprogram verification by Feiertag and others

Computing Surveys, Vol 13, No 3, September 1981


9/32

F o r m a l M o d e l s f o r C o m p u t e r S e c u r it y 255[ F E I E 7 7 ] . T h i s r e f o r m u l a t i o n a c t u a l l y f o -c use s on t he i n fo rma t ion f l ow poss ib l e i n afo rm a l ly spe c i f i e d se t o f func t i ons , a nd i nt h i s r e s p e c t i s s i m i l a r t o t h e i n f o r m a t i o n -f l o w m o d e l s . E f f o r t s h a v e a l s o b e e n m a d et o m o d e l s e c u r i t y i n d a t a b a s e m a n a g e m e n ts y s t e m s u si n g th e B e l l a n d L a P a d u l a m o d e l[HI~K 75, GROH76] .F ina l l y , s e ve ra l a u thors [ JoN E75 ,COHE77, FURT78a , MILL78b] have deve l -o p e d m o d e l s t h a t , i n a v a r i e t y o f w a y s , v ie wp r o g r a m s a s c h a n n e l s f o r i n f o r m a t i o n t r an s -f e r . T h e s e m o d e l s a r e g e n e r a l l y f u r t h e rf r o m t h e m a i n s t r e a m o f c o m p u t e r s e c u ri t yt h a n t h e o t h e r s , b u t t h e y p r o v i d e s o m ei n t e r e s t i n g c o m m e n t s o n t h e f u n d a m e n t a lq u e s t i o n o f w h a t i t m e a n s f o r a p r o g r a m o ra c o m p u t e r s y s t e m t o b e s e c u r e .5.2 High Water Mark ModelT h e A D E P T - 5 0 t i m e - s h a r i n g s y s t e m , c o n -s t r u c t e d a t t h e S y s t e m D e v e l o p m e n t C o r -po ra t i o n i n t he l a t e 1960s , w a s o ne o f t hef i r s t s y s t e m s t h a t a t t e m p t e d t o i m p l e m e n ts o f t w a r e c o n t r o l s f o r c l as s if ie d i n f o r m a t i o n[ W E I S 6 9 ] . A l t h o u g h t h e s y s t e m w a s n e v e rc e r t i f i e d b y t h e D o D f o r o p e r a t i o n a s am u l t i l e v e l s e c u r e s y s t e m , i t s c o n t r o l s w e r eb a s e d o n a f o r m a l m o d e l o f m i l i t a r y s e c u -r i ty .F o u r t y p e s o f o b j e c t s a r e d e f i n e d b y t h eA D E P T - 5 0 s e c u r i t y m o d e l : u s e r s , t e r m i -na ls , j obs , a nd f il es . Ea c h ob j e c t i s de sc r ibe db y a n o r d e r e d t r i p l e o f p r o p e r t i e s , c a l l e dA u t h o r i t y ( A) , C a t e g o r y ( C ), a n d F r a n c h i s e( F) . T h e f i r st t w o o f t h e s e c o r r e s p o n d co as e n s i t iv i t y l e v e l a n d a c o m p a r t m e n t s e t ; t h eth i r d c ons i s t s o f a s e t o f u se r de s igna t ions .T h e F r a n c h i s e s e t s a r e u s e d t o i m p l e m e n td i s c r e t i o n a r y n e e d - t o - k n o w c o n t r o l s , b u tt h e y a r e f o r m a l l y e q u i v a l e n t t o a n e x t e n -s i on o f t h e c o m p a r t m e n t s e t t h a t a l lo w s ac o m p a r t m e n t f o r ea c h u s er . T h e m o d e l a l sod e f i n e s a n o r d e r i n g o n t h e s e t r i p l e t s t h a tc o r r e s p o n d s t o t h e l a t t i c e m o d e l ( t h o u g hthe s t ruc tu re i s no t i de n t i f i e d a s a l a t t i c e ) ." H i s t o r y f u n c t i o n s " a r e d e f i n e d f o r t h e a u -t h o r i t y a n d c a t e g o r y p r o p e r t i e s o f a n o b j e c t .T h e s e f u n c t i o n s r e c o r d th e h i g h e s t a u t h o r -i t y a s s i g n e d t o t h e o b j e c t a n d t h e u n i o n o fa l l c a t e gor i e s a s s igne d t o t he ob j e c t s i nc ei t s c r e a t i o n . T h e s e a r e r e f e r r e d t o a s t h eh i g h - w a t e r m a r k o f t h e o b j e c t , f r o m w h i c ht h e m o d e l t a k e s i t s n a m e .

T h e v a l u e s o f t h e c u r r e n t A , C , a n d Fp r o p e r t i e s a n d t h e h i s t o r y f u n c t i o n s a r eu s e d t o c o n t r o l t h e p r o p e r t i e s a s s i g n e d t one w ob je c t s ( e . g . , ne w ly c re a t e d f i l e s ) a ndt o d e t e r m i n e w h e t h e r r e q u e s t e d o p e r a t i o n sw il l b e a l l o w ed . T o a c c es s t h e s y s t e m f r o ma t e r m i n a l , a u s e r m u s t p r e s e n t a u s e r I Da n d a p a s s w o r d . T h e s y s t e m t h e n c h e c k s al i s t s t o r e d a t s y s t e m s t a r t t i m e t o s e e t h a tt h i s ID i s know n to t he sys t e m, t ha t i t i s i nt h e f r a n c h i s e s e t f o r t h i s te r m i n a l , a n d t h a tt he pa s sw ord i s c o r re c t . I f t he l og - in suc -c e e ds , t he g ive n use r ID i s a s s igne d t o t hej o b s e r v i c in g t h e u s e r ' s t e r m i n a l . T h e j o b i sa s si g n ed t h e m i n i m u m o f t h e a u t h o r i t i e sa s s i g n e d t o t h e u s e r a n d t h e t e r m i n a l , a n di s a s s ig n e d a c a t e g o r y s e t c o r r e s p o n d i n g t ot h e i n t e r s e c t i o n o f t h e u s e r a n d t e r m i n a lc a t e g o r y s e t s . P e r m i s s i o n f o r t h i s j o b t oa c c e s s a f i le is g ra n t e d i f a nd on ly i f t hel e ve l o f t he j ob i n t he l a t t i c e i s a t l e a s t t h a to f t he f i l e . G ra n t ing a c c e s s t o a f i l e c a use st h e h i s t o r y f u n c t i o n s t o b e u p d a t e d a c c o r d -i n g t o t h e a u t h o r i t y a n d c a t e g o r y s e t f o rtha t f i l e . N e w f i l e s c re a t e d by t h i s j ob a rea s s i g n e d a n a u t h o r i t y a n d a c a t e g o r y s e tb a s e d o n t h e h i s t o r y f u n c t i o n s : t h e a u t h o r -i t y is s e t t o t h a t o f t he h ighe s t f i le a c c e s se dby th i s j ob s inc e l og - in , a nd t he c a t e gory i st he un ion o f t he c a t e gory se t s o f a l l f i l e sa c c e s se d s inc e l og - in . The f ra nc h i se i s s e tt o t h a t o f t h e j o b .T h e A D E P T - 5 0 t i m e - s h a r i n g s y st e m , u s-i n g t h e s e c u r i t y m o d e l j u s t d e s c r i b e d , w a si m p l e m e n t e d o n a n I B M / 3 6 0 m o d e l 50 a n dins t a l l e d i n s e ve ra l l oc a t i ons i n t he Pe n t a -gon . In a dd i t i on t o e n fo rc ing t h i s mode l , an u m b e r o f o t h e r s e c u r i t y p r o v i s i o n s ( e.g .,a ud i t t r a il s , c l e a r ing o f ne w ly a c qu i re d s to r -a g e } w e r e i n c l u d e d i n t h e i m p l e m e n t a t i o n .T h e p r i n c i p a l r e a s o n t h e h i g h - w a t e r -ma rk po l i c y is o f i n t e r e s t i s t h a t i t i s one o ft h e f e w p o l i c i e s a c t u a l l y i m p l e m e n t e d o na n o p e r a t i o n a l c o m p u t e r s y s t e m . T h eA D E P T - 5 0 s y s t e m , o p e r a t i n g w i t h t h i sm o d e l , p r o v i d e d a n a c c e p t a b l e i n t e r f a c e t oi ts u se r s . T h e a u t h o r i t y , c a t e g o r y , a n d f r a n -c h i s e e l e m e n t s o f t h e m o d e l a r e s u f f i c i en tt o d e s c r i b e t h e s t a t i c s t r u c t u r e o f m i l i t a r ys e c u r i t y . T h e r e s t r i c t i o n t h a t a u s e r c a non ly ha ve a c c e s s t o a f i l e a t o r be low h i sl e v e l i n t h e l a t t i c e e n s u r e s t h a t h e c a n n o td i r e c t l y r e a d i n f o r m a t i o n c o n t a i n e d i n a f il ec l a s s i f i e d a bove h i s c l e a ra nc e l e ve l . I t i sp o s s i b l e , h o w e v e r , f o r a T r o j a n h o r s e t o

Com put in g Surveys , Vol 13, No 3 , Sep temb er 1981


10/32

256 C a rl E . L a n d w e h rcopy classified information to a {preexist-ing) file that is unclassified. This copyingcan be done because the rules of the modelallow authorized downward flows of in-formation. Consequently, information canflow out of the system via legitimate, stor-age, or timing channels. Control of saniti-zation and aggregation is provided by uservigilance and by audit mechanisms thatrecord the explicit downgrading of infor-mation. T he controls over the classificationof new files are helpful bu t can lead to theoverclassification of data, since the high-water mark can never decrease during agiven run. Routine overclassification islikely to lead to routine downgrading ofclassified data, which would make errors o rintentional violations in downgradingharder to detect. 35 . 3 Ac c e s s M a t ri x M o d e lThe access matrix model for compute r pro-tection is based more on abst raction of op-erating system structures than on militarysecurity concepts. One of the earliest de-scriptions of this model is provided byLampson [LAMP71]; Denning and Graham[DENN71, GRAH72] describe and extend it.Because of its simplicity and generality,and because it allows a variety of imple-mentation techniques, it has been widelyused.Ther e are three principal components inthe access matrix model: a set of passiveobjects , a set of active sub jects , which maymanipulate the objects, and a set of rulesgoverning the manipulation of objects bysubjects. Objects are typically files, termi-nalS, devices, and other entities imple-mented by an operating system. A subjectis a process and a d o m a i n (a set of con-straints within which the process may ac-cess certain objects). It is imp ort ant to notethat every subject is also an object; thus itmay be read or otherwise manipulated byanother subject. The acces s m a t r i x is arectangular array with one row per subjectand one column per object. Th e ent ry for aparticular row and column reflects themode of access between the corresponding3 P a r t o f t h e i n f o r m a t i o n m t h i s p a r a g r a p h ( in p a r ti c -u l ar , t h e a s s e s s m e n t s o f t h e u t i li t y o f t h e u s e r i n t e r fa c ea n d t h e s e c u r i t y m o d e l ) i s d e r i v ed f r o m c o n v e r s a t i o n sw i t h M a r v S c h a e fe r a n d C l a rk W e i s s m a n o f S D C .

subject and object. The mode of accessallowed depends on the type of the objectand on the func tionality of the system; typ-ical modes are read, write, append, andexecute. In addition, flags may be used torecord ownership of a particular object.The access matrix can be viewed as re-cording the p r o t ec t i o n s t a t e of the system.Certain operations invoked by subjects canalter the protection state--for example, ifthe owner of a file deletes it, the columncorresponding to that file is removed fromthe access matrix. In addition, some modesof access may permit users to alter thecontents of particular entries of the matrix.If the owner of a file grants another userpermission to read it, for example, the per-mission must be recorded in the appropri-ate access matrix entry. Graham and Den-ning provide an example set of rules--forcreating and deleting objects and grantingor transferring access permissi ons- -that al-ter the access matrix. These rules, togetherwith the access matrix, are at the heart ofthe protection system, since they define thepossible future s tates of the access matrix.

All accesses to objects by subjects areassumed to be mediated by an enforce mentmechanism that refers to the data in theaccess matrix. This mechanism, called ar e f e r ence m o n i t o r [ANDE72], rejects anyaccesses {including improper attempts toalter the access matrix data) that are notallowed by the current prot ection state andrules. Gr aham and Denn ing [GRAH72] con-sider each object to be an instance of aparticular object type. References to ob-jects of a given type must be validated bythe m o n i t o r for that type. Each type mon-itor then uses the data in the access matrixto validate the req uested operations. In thisview, there is a separate monitor that con-trols requests to change the access mat-rix. If al l accesses of the access matrixpass through the access matrix monitor,that monitor is equivalent to the referencemonitor.Because the access matrix model speci-fies only that there are rules (and subjectsand objects and access modes) but no t whatthe rules (or subjects or objects or accessmodes) are in detail, the model has greatflexibility and wide apphcability. It is diffi-cult, however, to prove assertions about theprotection provided by systems th at follow

Com put ing Surv eys, Vol 13, No. 3, Sep tem ber 1981


11/32

F o r m a lthis model without looking in detail at theparticular subjects, objects, modes of ac-cess, and rules for transforming the accessma t r i x . H a r r i son , Ruz z o , a nd U l l ma n[HARR76] investigated an access matrixmodel with six rules similar to the examplesposed by Graham and Denning and foundundecidable the question of whether, givenan initial access matrix configuration, anarbit rary access right can later appear at anarbi trary location in the access matrix.In actual computer systems, the accessmatrix would be very sparse if it were im-plemented as a two-dimensional array.Consequently, implementations that main-tain protection data tend to store themeither rowwise, keeping with each subjecta list of the objects and access modes al-lowed it, or columnwise, storing with eachobject a list of those subjects that mayaccess it and the access modes allowedeach. The former approach is called thec a p a b i l i t y l i s t approach, the latter, the ac-ces s con t ro l l i s t approach. These ap-proaches are often used together, as inMUL TICS [ORGA72] and othe r virtualmemory systems. Virtual memory ad-dresses can act as capabilities; possession ofthe address (and of the correspondingtranslation tables) in this sense suffices toauthorize access to the corresponding data.And files in the system may have accesscontrol lists atta ched to contro l which sub-jects may actually read or alter the data inthe file (even though all users may knowthe name of the file).The access matrix model, properly inter-preted, corresponds very well to a widevariety of actual computer system imple-mentations. Without some additions, how-ever, it does not include mechanisms orrules corresponding to the requirement s formilitary security. In systems based on thismodel, the protection of a file of informa-tion is the respons ibility of the file's owner.He can grant access to any user, and, typi-cally, any user granted read-access to thefile can copy and distribute the informationany way he pleases. Thus, witho ut special-izing the model, it would be very difficultto prove any theorems concerning the flowof information. On the ot her hand, themodel neatly separates the mechanisms forenforcement from the policy enforced: themechanisms of the system are the enfor-

M o d e l s f o r C o m p u t e r S e c u r i t y 257cers, and the curr ent policy is contained inthe cur rent state of the access matrix. Note,however, that this interpretation of pol-icy implies that any subject with the abil-ity to create or delete objects or to grant orrevoke object-access can alter the policyenforced. The simplicity of the model, itsdefinition of subjects, objects, and accesscontrol mechanisms, is very appealing.Consequently, it has served as the basis fora number of other models and developmentefforts, described below.5 . 4 M o d e ls Ba s e d on Ac c e s s M a t r ic e sThis section presents two models that arebased on the concept of an access matrix.Both are intended to represent the behaviorof a capability-based operating system. Th efirst was developed as part of an effort toconstruct a prototype security kernel; thesecond, developed in terms of graph theory,has ha d tittle practical application.5 . 4 1 U C L A D a t a S e c u r e U N I X 4 M o d e lThe efforts at UCLA to design, implement,specify, and verify a security kernel forUNIX have been described in numerouspapers and technical reports [POPE75,PoPE78a, PoPE78b, POPE79, WALK80]. Theapproach taken by Popek and his group isbased on a concept the y call d a t a s e c u r i t y :direct access to data must be possible onlyif the recorded prote ction policy permits it.The kernel is intended to enforce only thisnotion of security; it does not embody aparticula r security policy (in contrast to t hekernels based directly on the Bell andLaPadul a model). In the UCLA implemen-tation, the prot ection policy is embodi ed ina separate process called the p o l i c y m a n -ager . A particular request from a user (e.g.,to open a file) must be approved by thepolicy manager before the kernel will hono rit. The kernel supports a form of capabili-ties, and the policy manager informs thesecurity kernel of securi ty policy by issuingthe grant-ca pability kernel call.The specification of the kernel is givenin four increasingly abstract levels[WALK80]. The lowest level is the kernel4 UNIX Is a trademark of Bell Laboratories.

Computing Surveys,Vol 13, No. 3, September1981


12/32

258 Carl E. Landwehrimplementation in an extended PASCAL;next is a low-level specificat ion in thelanguage of the XIVUS verification system[YONK76], organized as a data-definedspecification. The n comes an abstract-level specification formulated as a finite-sta~,, machine wi th the effect of each kernelcM' :'eflected in the transition function; fi-nmi:,, there is a top-level specification,also given as a finite-state machine. Map-ping functions are provided from each lowerlevel to the next higher one, so tha t a chainexists from the implementa tion to the top-level specification.The security model implemented by theUCLA Data Secure Unix (DSU) corre-sponds to the data security property re-quired of the top-level specification. Thesimplest description of the top-level modelfor DSU is given in WALK80. It is a finite-state machine model, with the state definedby the following four components:(a) process objects;(b) protection-data objects, with valuesbeing sets of capabilities;(c) general objects (comprising both pagesand devices); and(d) a current-process-name object, whosevalue is the name of the currently run-ning process.The security criterion is given in terms ofthe state: a component of the state is ac-tually modified or referenced only if theprotection data for the process named bythe current-process-name object allow suchaccess. In PoPE78a, a more formal and de-tailed definition of data security is given. Ithas three assertions, stated informally be-low:($1) Protected objects may be modifiedonly by explicit request.($2) Protected objects may be read only byexplicit request.($3) Specific access to protected objects ispermitted only when the recorded pro-tection data allow it.In POPE78a and in KEMM79, these asser-tions concern the abstract-level specifica-tion; the top-level specification was appar-ently added later.

The UCLA DSU model is in one sensemore general than the Bell and LaPadulamodel. It includes no mention of classifica-tions, clearances, or the security lattice. Allof these could be introduced, presumably,by an appropriately specified policy man-ager. The policy manager described inPoPE78b, though, is based on colors.Each user and file has an associated colorlist, and for a user to access a file, his colorlist must cover the color list of the file. Thisaccess control technique also extends toprocesses and devices. Formally, this modelappears equivalent to the military com-part ment structure, and it could be used toimplement a lattice structure.The UCLA DSU model was constructedonly with the goal of preventing unauthor-ized direct references to or modification ofprotected data; it is not concerned withstorage or timing channels.

5 4 2 T a k e G r a n t M o d e l sTake-grant models use graphs to modelaccess control. They have been describedand studied by several people [JONE76,LIPT77, SNYD77, JONE78a, B]SH79,SNYD79]. Although couched in the terms ofgraph theory, these models are fundamen-tally access matrix models. The graphstructure can be represented as an adja-cency matrix, and labels on the arcs can becoded as different values in the matrix.Because it is the most recently publishedand because it deals with a wider class ofsecurity problems than previous versions,the particular model of BISH79 will be de-scribed here.In a take-grant model, the protectionstate of a system is described by a directedgraph that represents the same informationfound in an access matrix. Nodes in thegraph are of two types, one correspondingto subjects and the o ther to objects. An arcdirected from a node A to another node Bindicates that the sub ject (or object) A hassome access right(s) to subject (or object)B. The arc is labeled with the set of A'srights to B. The possible access rights areread (r), write (w), take (t), and grant (g).Read and write have the obvious meanings.Take access implies that node A can take

Com putin g Surve ys, Vol 13, No 3, Sep tem ber 1981


13/32

F o r m a l M o d e l s f o r C o m p u t e r S e c u r it y 259Q t Q r ,g @

Intttal Graph ~tr ,g

G raph following A takes r, g to C)Figure 1. Exampleof take.

I 0 .>

A grants w to D) to BF,gure 2. Exampleof grant.

n o d e B ' s a c c e s s r i g h t s t o a n y o t h e r n o d e .F o r e x a m p l e , i f t h e r e i s a n a r c l a b e l e d ( r, g )f r o m n o d e B t o n o d e C , a n d i f t h e a r c f r o mA t o B i n c l u d es a " t " i n i t s l ab e l , t h en ana rc f r o m A t o C l ab e l ed ( r, g ) co u l d b ea d d e d t o t h e g r a p h ( s e e F i g u r e 1 ) . C o n -v e r s e l y , i f t h e a r c f r o m A t o B i s m a r k e dw i t h a " g ," B c a n b e g r a n t e d a n y a c c e s sr i g h t A p o s s e s s e s . T h u s , i f A h a s ( w) a c c e s st o a n o d e D a n d ( g) a c c e s s t o B , a n a r c f r o mB t o D m a r k e d (w} c a n b e a d d e d t o t h eg r a p h ( s e e F i g u r e 2 ) .B e c a u s e t h e g r a p h n e e d o n l y i n c lu d e a r c sc o r r e s p o n d i n g t o n o n n u l l e n t r i e s i n t h e a c -c e s s m a t r i x , i t p r o v i d e s a c o m p a c t w a y t op r e s e n t t h e s a m e i n f o r m a t i o n g i v e n i n ar e l a t i v e l y s p a r s e a c c e s s m a t r i x . C a p a b i l i t ys y s t e m s a r e t h u s p r i m e c a n d i d a t e s f o r t h i sm o d e l i n g t e c h n i q u e ; e a c h a r c w o u l d t h e nr e p r e s e n t a p a r t i c u l a r c a p a b i l i t y .T o g e t h e r w i t h t h e p r o t e c t i o n g r a p h , t h em o d e l i n c l u d e s a s e t o f r u l e s f o r a d d i n g a n dd e l e t i n g b o t h n o d e s a n d a r c s t o t h e g r a p h .T w o o f t h e s e , c o r r e s p o n d i n g t o t h e e x e r c is eo f " t a k e " a n d " g r a n t " a c c e s s r ig h ts , h a v ea l r e a d y b e e n d e s c r i b e d . A " c r e a t e " r u l e a l -l o w s a n e w n o d e t o b e a d d e d t o t h e g r a p h .I f s u b j e c t A c r e a t e s a n e w n o d e Y , b o t h t h en o d e Y a n d a n a r c A Y a r e a d d e d t o t h eg r a p h . T h e l a b e l o n A Y i n c lu d e s a n y s u b s e to f t h e p o s s i b l e a c c e s s r i gh t s. A " r e m o v e "r u l e a l l o w s a n a c c e s s r i g h t t o b e r e m o v e df r o m a n a r c ; if a ll r i g h t s a r e r e m o v e d f r o ma n a r c , t h e a r c i s r e m o v e d a s w el l. A n e a r l yv e r s i o n o f t h e m o d e l [ L IP T 7 7] a ls o i n c l u d e da " c a l l " r u le t o m o d e l i n v o c a t i o n o f a p r o -g r a m a s a s e p a r a t e p r o c e ss . O t h e r r u l e s c a nb e a d d e d , d e p e n d i n g o n t h e p r o p e r t i e s o ft h e s y s t e m b e i n g m o d e l e d , b u t i n t h e p u b -l i s h e d l i t e r a t u r e , t a k e , g r a n t , c r e a t e , a n dr e m o v e a r e t h e k e y o p e r a ti o n s .T h e q u e s t i o n s f i r s t a s k e d o f t h i s m o d e l

w e r e o f th e f o r m : " G i v e n a n i n it ia l p r o t e c -t i o n g r a p h a n d t h e s e t o f r u l e s, i s i t p o s s i b l ef o r a s u b j e c t A t o g a i n a p a r t i c u l a r a c c e s sr i g h t t o a n o b j e c t B ? " N o t e t h a t t h i s i s aq u e s t i o n a b o u t t h e poss ib i l i t y o f t h e i n i t i a lg r a p h b e i n g t r a n s f o r m e d i n t o o n e c o n t a i n -m g a s pe c if i c a r c t h r o u g h s o m e s e q u e n c e o fr u le a p p l i ca t i o n s. T h e w o r k o f H a r r i s o n ,R u z z o , a n d U l l m a n [ H A R R 7 6 ] s h o w e d t h i sp r o b l e m t o b e u n d e c id a b l e f o r a n a r b i t r a r ys e t o f r u l e s a n d a n i n i t ia l g r a p h b u t d e c i d-a b l e f o r a s p e c if i c s e t o f r u l e s. T h e a n s w e ri s s t a t ed a s a t h eo re m i n SN YD 77 : A c ana c q u i r e t h e r i g h t i n q u e s t i o n i f a n d o m:y .ft h e r e i s s o m e s u b j e c t o r o b j e c t t h a t a l re n -N .h a s t h e r i g h t an d A an d B a re co n ne~ '. :lb y a p a t h w i t h a c e r t a i n s t r u c t u r e . F o r t h er u l e s o f t h e t a k e - g r a n t m o d e l , t h i s an sw ,~ rc a n b e c o m p u t e d i n a t i m e d i r e c t l y p r o p c . ~-t i o n a l t o t h e s iz e o f t h e g r a p h [ J o N E 7 6J .I n B I S H 7 9 , B i s h o p a n d S n y d e r r e c o g n i z et h a t i n f o r m a t i o n a b o u t a n o b j e c t c a n s o m ~-t i m e s b e t r a n s f e r r e d t o a s u b j e c t w i t h o u tt h e s u b j e c t ' s g a i n i n g a d i r e c t a c c e s s r i g h tf o r t h a t o b j e c t . F o r e x a m p l e , i n f o r m a t i o nc a n b e c o p i e d f r o m o n e o b j e c t t o a n o t h e ra n d a c c e s s t o t h e c o p y c a n b e g r a n t e d t oo t h e r s w i t h o u t e v e r g r a n t i n g o t h e r s d i r e c ta c c e s s t o t h e o r i g i n a l f i l e . A n i n f o r m a t i o nt r a n s f e r o f t h i s t y p e i s c a l l e d de facto , w h i l et h e t r a n s f e r o f a u t h o r i t y a c c o r d i n g t o th er u l e s d i s c u s s e d e a r l i e r i s c a l l e d de j u re . F o u r" r e p r e s e n t a t i v e " g r a p h r e w r i t i n g r u l e s t om o d e l d e f a c t o t r a n s f e r s a r e d e s c r i b e d a n ds t u di e d . E d g e s a d d e d t o t h e g r a p h b y a p -p l i c a t i o n o f d e f a c t o r u l e s a r e c a l l e d i m p l i c i te d g e s to d i s t in g u i s h t h e m f r o m t h e e x p li c ite d g e s a d d e d b y t h e d e ju r e r u l e s. P r e d i c a t e sca l l ed c a n - k n o w a n d can- tel l a r e d e f i n e d t oc h a r a c t e r i z e t h e p o s s i b i l it y t h a t a n e d g e c a nb e c o n s t r u c t e d b e t w e e n t w o n o d e s b y a p-p l i c a t i o n o f t h e d e f a c t o r u l e s .

Computing Surveys, Vol 13, No 3, September 1981


14/32

260 Carl E. Landw ehrA n o b j e c t i o n s o m e t i m e s m a d e t o t a k e -g r a n t m o d e l s is t h a t t h e y a r e t o o " w e a k " t op r o v i d e u s e f u l i n f e r e n c e s a b o u t p r o t e c t i o ns y s t e m s : i t i s c l a i m e d t h a t t h e r e s u l t o fa p p l y i n g a t a k e - g r a n t m o d e l t o a " r e a l "s y s t e m w il l b e a f u l l y c o n n e c t e d g r a p h - - a l l

sub j e c t s c a n ga in a c c e s s t o a l l ob j e c t s . Ce r -t a in ly , t h i s w il l be t h e c a se i n a ny sy s t e m inw hic h a use r c a n c re a t e a f i l e a nd g ra n ta c c e ss t o i t to a l l u s e rs . T h e p r o b l e m is t h a tt h e m o d e l m a k e s a w o r s t c a s e a s s u m p t i o na b o u t t h e b e h a v i o r o f u s e r s - - i f a u s e r c a ng r a n t a c c e s s r i g h t s f o r a n o b j e c t t o s o m eo t h e r u s er , t h e m o d e l a s s u m e s t h a t a t s o m et ime he w i ll do so. In som e c a se s , o f c ourse ,t h i s m a y b e t h e a p p r o p r i a t e a s s u m p t i o n . I ft h e u s e r s o f t h e s y s t e m c a n n o t b e t r u s t e d ,f o r e x a m p l e , a n d i f t h e s y s t e m i t s e lf c a ne n f o r c e n o f i n e r c o n t r o l s t h a n t h o s e o n c a -pa b i l i t i e s , t h i s mode l ma y y i e ld use fu l r e -s u l t s . I t d o e s s e e m l i m i t e d w i t h r e s p e c t t oi t s a b i l i t y t o m o d e l c o n t r o l l e d s h a r i n g o fi n f o r m a t i o n , t h o u g h .S n y d e r p a r t i a l l y a d d r e s s e d t h i s p r o b l e m[SN Y D77] by de f in ing a p re d i c a t e can-stealt o d i s t i ngu i sh c a se s i n w h ic h a sub j e c t c a ng a i n a n a c c e s s r i g h t t o a n o b j e c t w i t h o u tt h e c o l lu s i o n o f a n o t h e r s u b j e c t w h o a l-r e a d y h a s t h a t r i g h t . T h i s t r e a t m e n t d e a l so n l y w i t h d e j u r e a cc e ss . J o n e s [ J o s E 7 8 a ] ,i n a p p l y i n g t h e m o d e l t o d e m o n s t r a t e as e c u r i t y f l a w i n M U L T I C S , e x t e n d e d t h em o d e l t o p r o v i d e a f i n e r c o n t r o l o n u s e rd i s c r e t i o n . S h e i n t r o d u c e d t h e c o n c e p t o fp r o p e r t y s e t s a s a r e s t r i c t i o n o n t h e b e h a v -i o r o f s u b j e c ts a n d a d d e d p r o c e d u r e o b j e c t s( a n e w n o d e t y p e ) a n d r i g h t s f o r c r e a t i n ga n d i n v o k i n g t h e m .L i k e t h e U C L A D S U m o d e l , t h e t a k e -g r a n t m o d e l d o e s n o t i n c l u d e s e c u r i t yc l a s se s . Sub je c t s a nd ob j e c t s a re no t d i s t i n -g u i s h e d a c c o r d i n g t o c l e a r a n c e l e v e l s o rs e c u r i t y l e v e l s . T h e l e v e l s c o u l d b e a d d e db y l a b e l i n g s u b j e c t s a n d o b j e c t s a n d b yr e s t r i c t i n g t h e g r a p h r e w r i t i n g r u l e s a c c o r d -ing t o t he l a t t i c e r e l a t i ons . T he l i ke ly re su l t ,i n t h e c a s e o f t h e m i l i t a r y s e c u r i t y l a t ti c e ,w o u l d b e a g r a p h - t h e o r e t i c f o r m u l a t i o n o ft h e B e l l a n d L a P a d u l a m o d e l .5 . 5 Be l l a n d L a Pa d u la M o d e lA s p a r t o f i ts c o m p u t e r s e c u r i t y p r o g r am ,t h e A i r F o r c e s p o n s o r e d t h e c o n s t r u c t i o n o fs o m e p r o t o t y p e s e c u r i t y k e r n e l s a n d s o m e

f o r m a l m o d e l s f o r c o m p u t e r s e c u r i t y . T h ep r i n ci p a l p r o t o t y p e e f fo r t s w e r e c o n d u c t e da t M I T R E a n d { s p o n so r ed b y D A R P A } a tU C L A , w h i le t h e r e s e a r c h i n f o r m a l m o d e l sw a s p e r f o r m e d b o t h a t C a s e W e s t e r n R e -se rve U n ive rs i t y , by W a l t e r e t a l . [WA LT74,W A LT 75 a, W h L w 75 b ], a n d a t M I T R E , b yBe l l a nd La Pa du la [BELL73a , BELL73b ,BELL74a, BELL74b , BELL75]. The se p ro to -t y p e a n d m o d e l d e v e l o p m e n t s w e r e s e m -i n a l ; c u r r e n t e f f o r t s t o b u i l d " k e r n e l i z e d "s y s t e m s a r e b a s e d o n t h e s a m e i d e a s a n du s e s e c u r i t y m o d e l s s i m i l a r t o t h e o n e s d e -v e l o pe d i n t h e C a se W e s t e r n a n d M I T R Ep r o j e c t s . B o t h o f t h e s e m o d e l s a r e f o r m a l i-z a t i ons a nd spe c i a l i z a t i ons o f t he a c c e s sm a t r i x m o d e l t o i n c o r p o r a t e m i l i ta r y s ec u -r i t y p o l i c y . B e c a u s e t h e m o d e l s d e v e l o p e da t C a s e a n d a t M I T R E a r e so si m il ar , o n l yt h e l a t t e r { Be ll a n d L a P a d u l a ) v e r s i o n isd e s c r i b e d h e r e .B e l l a n d L a P a d u l a u s e f i n i t e - s t a t e m a -c h i n e s t o f o r m a l i z e t h e i r m o d e l . T h e y d e -f i n e t h e v a r i o u s c o m p o n e n t s o f t h e f i n i te -s t a t e m a c h i n e , d e f i n e w h a t i t m e a n s { f o r -ma l ly ) fo r a g ive n s t a t e t o be se c u re , a ndt h e n c o n s i d e r t h e t r a n s i t i o n s t h a t c a n b ea l l o w e d s o t h a t a s e c u r e s t a t e c a n n e v e rl e a d t o a n i n se c ure s t a t e .A l t h o u g h t h e p r e s e n t a t i o n s i n t h e o r i g i -n a l r e p o r t s c a r r y a h e a v y b u r d e n o f n o t a -t i o n f r o m s y s t e m s t h e o r y , t h e m o d e l c a n b eu n d e r s t o o d i n f o r m a l l y w i t h o u t t h e n o t a -t io n . I n a d d i t i o n t o t h e s u b j e c t s a n d o b j e c t so f t h e a c c e s s m a t r i x m o d e l , i t i n c l u d e s t h es e c u r i t y l e v e l s o f t h e m i l i t a r y s e c u r i t y s y s -t e m : e a c h s u b j e c t h a s a c l e a r a n c e a n d e a c hob je c t ha s a c la s s i f ic a t i on . Ea c h sub j e c t a l soha s a current securtty level, w h i c h m a y n o te x c e e d t h e s u b j e c t ' s c l e a r a n c e .T h e a c c e s s m a t r i x i s d e f i n e d a s a b o v e ,a n d f o u r m o d e s o f a c ce s s ar e n a m e d a n dspec i f ied as fo l lows:r e a d - o n l y : s u b j e c t c a n r e a d t h e o b j e c tb u t n o t m o d i f y i t;a p p e n d : s u b j e c t c a n w r i t e t h e o b j e c t

b u t c a n n o t r e a d it;e x e c u t e : s u b j e c t c a n e x e c u t e t h e o b j e c tb u t c a n n o t r e a d o r w r i t e i t d i -r e c t l y ; a ndr e a d - w r i t e : s u b j e c t c a n b o t h r e a d a n dw r i t e t h e o b j e c t .A c on t ro l a t t r i bu t e , w h ic h i s l i ke a n ow n-ership f lag , i s a l so de f ined . I t a l lows a sub-

Com putin g Surv eys, Vol 13, No 3, Sep tem ber 1981


15/32

Formal Models for Computer Security , 261j e c t t o p a s s t o o t h e r s u b j e c t s s o m e o r a ll o ft h e a c c e s s m o d e s i t p o s s e s s e s f o r t h e c o n -t r o l l e d o b j e c t . T h e c o n t r o l a t t r i b u t e i t s e l fc a n n o t b e p a s s e d t o o t h e r s u b j e c t s ; i t i sg r a n t e d t o t h e s u b j e c t t h a t c r e a t e d t h e o b -jec t .

Cre a t i on o f ob j e c t s i s v i e w e d a s a tw o-pa r t o pe ra t i on : (1 ) a dd i t i o n o f a ne w inac -t i ve ob j e c t t o t h e e x i s t i ng se t o f ob j e c t s , a nd(2 ) a c t i v a t i o n o f a n i n a c t i v e o b j e c t . T h etranquility principle a s s e r t s t h a t n o o p e r -a t i o n m a y c h a n g e t h e c l a ss i f ic a t io n o f a na c t i v e o b j e c t . B e l l a n d L a P a d u l a s t a t e a n da d o p t t h i s p r i n c i p l e , a l t h o u g h t h e y r e c o g -n i z e t h a t i t i s n o t r e q u i r e d b y m i l i t a r y s e -c u r i t y s t r u c t u r e s .F o r a s t a t e t o b e s e c u r e , t w o p r o p e r t i e sm u s t h o l d :

(1) the simple security property: n o s u b j e c th a s r e a d a c c e s s t o a n y o b j e c t t h a t h a s ac l as s i fi c at i o n g r e a t e r t h a n t h e c l e a r a n c eo f t h e s u b j e c t; a n d(2) the *-property ( p r o n o u n c e d " s t a r - p ro p -e r t y " ) : n o s u b j e c t h a s a p p e n d - a c c e s s t oa n o b j e c t w h o s e s e c u r i t y l e v e l i s n o t a tl e a s t t h e c u r r e n t s e c u r i t y l e v e l o f t h es u b j e c t ; n o s u b j e c t h a s r e a d - w r i t e a c -c e s s t o a n ob j e c t w hose se c u r i t y l e ve l i sn o t e q u a l t o t h e c u r r e n t s e c u r i t y l e v e lo f t h e s u b j e c t; a n d n o s u b j e c t h a s r e a da c c e ss t o a n o b j e c t w h o s e s e c u r i t y l e v eli s n o t a t m o s t t h e c u r r e n t s e c u r i t y l ev e lo f t h e s u b j e c t .A s e t o f r u l e s g o v e r n i n g t h e t r a n s i t i o nf r o m o n e s t a t e t o a n o t h e r i s a l s o g i v e n .

T h e s e r u l e s a r e a n a l o g o u s t o t h e e x a m p l er u l e s g i v e n b y G r a h a m a n d D e n n i n g f o ra l t e r i n g a n a c c e s s m a t r i x , a n d a r e r e q u i r e dt o p r e s e r v e t h e t w o s e c u r i t y p r o p e r t i es . T h ep a r t i c u l a r r u l e s d e f i n e d b y B e l l a n d L a -P a d u l a p r o v i d e t h e f o l lo w i n g f u n c t io n s :(1 ) ge t ( r e a d , a ppe n d , e xe c u t e , o r r e a d -w r i t e ) a c c e s s , t o i n i t i a t e a c c e s s t o a no b j e c t b y a s u b j e c t i n t h e r e q u e s t e dm o d e ;(2 ) r e l e a se ( re a d , a ppe nd , e xe c u t e , o r r e a d -w r i t e ) a c c e ss , t he i nve rse o f ge t a c c e s s;(3 ) g ive ( re a d , a ppe n d , e xe c u t e , o r r e a d -w r i t e ) a c c e s s , t o a l l ow the c on t ro l l e r o fa n o b j e c t t o e x t e n d t h e d e s i g n a t e d a c -c e ss to a n o t h e r s u b j e c t ;(4) r e sc ind ( re a d , a ppe n d , e xe c u t e , o r r e a d -w r i t e ) a c c e ss , t he i nve rse o f g ive a c ce s s ;

(5) c re a t e ob j e c t , t o a c t i va t e a n i na c t i veob je c t ;(6) de l e t e ob j e c t , t o d e a c t i va t e a n a c t i veob je c t ; a nd(7) c ha n ge se c u r i t y l e vel , t o a l l ow a sub j e c tt o a l t e r i ts c u r r e n t s e c u r i t y l e v el .W i t h t h e f o r m a l d e f i n i ti o n o f e a c h r u l e i sg i v e n a s e t o f r e s t r i c t i o n s o n t h e a p p l i c a t i o no f t h e r u l e t o g e n e r a t e a n e w s y s t e m s t a te .F o r e x a m p l e , a s u b j e c t c a n o n l y g i v e o rr e s c i n d a c c e s s to a n o b j e c t i f t h e s u b j e c th a s t h e c o n t r o l a t t r i b u t e f o r t h a t o b j e c t ,a n d a s u b j e c t c a n o n l y g e t r e a d a c c e ss to a no b j e c t i f t h e s e c u r i t y l e v e l o f t h e o b j e c t i sa t m o s t t h e c u r r e n t s e c u r i t y le v e l o f t h e

s u b j e c t . I n B E L L7 4 a, i t is d e m o n s t r a t e d t h a te a c h o f t h e s p e c if i e d r u l e s p r e s e r v e s t h es e c u r i ty p r o p e r t y a n d t h e * - p r o p e r t y . S i n cenon e o f t he ru l e s a f fe c t s t he c l a s s i f ic a t i onso f a c t i v e o b j e c ts , t h e r u l e s o b e y t h e t r a n -qu i l i t y p r inc ip l e a s w e l l.T h e d e f i n i ti o n o f t h e * - p r o p e r t y g i v ena bove i s t a ke n f rom BELL74a , p . 30 , a ndBELL75 , p . 83 . Be l l a nd La Pa du la a l so de -v e l o p t h e n o t i o n o f trusted subjects. At r u s t e d s u b j e c t i s o n e t h a t c a n b e r e l i e d o nn o t t o c o m p r o m i s e s e c u r i t y e v e n i f s o m e o fi t s c u r r e n t a c c e s s e s v i o l a t e t h e * - p r o p e r t y ;t h e * - p r o p e r t y n e e d o n l y b e e n f o r c e d o nr e q u e s t s m a d e b y u n t r u s t e d s u b j e c t s . T h ede f in i t i on o f t h i s c l a s s o f sub j e c t s r e c ogn iz e st h a t t h e * - p r o p e r t y is m o r e s t r i n g e n t t h a nm i l i t a r y s e c u r i t y r e q u i r e s . T h e v e r s i o n o ft h e * - p r o p e r t y g i v e n a b o v e a c t u a l l y i n -c l u d e s t h e s i m p l e s e c u r i t y p r o p e r t y a s we ll ,s i n ce t h e c u r r e n t s e c u r i t y l e v e l o f t h e s u b -j e c t c a n n e v e r e x c e e d t h e c l e a r a n c e o f t h es u b j e c t . D e s p i t e t h e d e t a i l e d d e f i n i t i o ng i v e n b y B e l l a n d L a P a d u l a , t h e t e r m" * - p r o p e r t y " t o d a y i s u s u a l l y i d e n t i f i e do n l y w i t h t h e p r o h i b i t i o n o f " w r i t i n g d o w n "( i . e . , t h e r e s t r i c t i o n o n r e a d - w r i t e a n d a p -p e n d m o d e s o f a c ce s s) , a n d t h e s i m p l e s e-c u r i t y p r o p e r t y ( o r s i m p l e s e c u r i t y condi-tton) i s s t i l l i de n t i f i e d w i th t he re s t r i c t i onon " r e a d in g up " (1.e ., t he r e s

Formal Model for Computer Security

Documents

Transcript of Formal Model for Computer Security