the bell-lapadula model - university of surrey...bell-lapadula the principle of an automata model 1...
TRANSCRIPT
![Page 1: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/1.jpg)
The Bell-LaPadula ModelCSM27 Computer Security
Dr Hans Georg Schaathun
University of Surrey
Autumn 2008 – Week 6
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 1 / 32
![Page 2: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/2.jpg)
The session
Outline
1 The session
2 Finite Automata
3 Bell-LaPadula
4 Security Properties
5 Limitations
6 Multics
7 Conclusion
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 2 / 32
![Page 3: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/3.jpg)
The session
Session objectives
Be able to use the principle of finite automata to describe securitymodels.Understand the confidentiality policy of Bell-LaPadulaUnderstand the limitations of Bell-LaPadula
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 3 / 32
![Page 4: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/4.jpg)
Finite Automata
Outline
1 The session
2 Finite Automata
3 Bell-LaPadula
4 Security Properties
5 Limitations
6 Multics
7 Conclusion
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 4 / 32
![Page 5: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/5.jpg)
Finite Automata
A finite automata
state-machine ≈ automataA set of states, QAn input alphabet Σ
labels for the state transitions
inital state q0 ∈ Qaccepting states A ⊂ Qtransition function δ : Q × Σ → Q
equivalent to the edges (arrows)
0 1
2 3
4 5
0
0 1
0
1
1
10
0
1
1
0
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 5 / 32
![Page 6: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/6.jpg)
Finite Automata
A finite automata
A state can be good or badsecure or insecure
Transitions from good to badstates are dangerous.Two criteria
Start state be secureNo transition from secure toinsecure
0 1
2 3
4 5
0
0 1
0
1
1
10
0
1
1
0
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 6 / 32
![Page 7: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/7.jpg)
Finite Automata
A finite automata
A state can be good or badsecure or insecure
Transitions from good to badstates are dangerous.Two criteria
Start state be secureNo transition from secure toinsecure
0 1
2 3
4 5
0
0 1
0
1
1
10
0
1
1
0
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 6 / 32
![Page 8: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/8.jpg)
Finite Automata
A finite automata
A state can be good or badsecure or insecure
Transitions from good to badstates are dangerous.Two criteria
Start state be secureNo transition from secure toinsecure
0 1
2 3
4 5
0
0 1
0
1
1
11
00
1
1
0
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 6 / 32
![Page 9: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/9.jpg)
Bell-LaPadula
Outline
1 The session
2 Finite Automata
3 Bell-LaPadula
4 Security Properties
5 Limitations
6 Multics
7 Conclusion
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 7 / 32
![Page 10: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/10.jpg)
Bell-LaPadula
The principle of an automata model
1 Describe all secure states2 Describe transitions from secure states3 Prove that no transition leads from secure to insecure
If this is possible, the system is provably secure.Bell-LaPadula is one description of secure states.
Similar principles apply to e.g. database developmentDatabase has to be maintained in a consistent stateNo operation (transition) allowed to bring the database to aninconsistent state
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 8 / 32
![Page 11: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/11.jpg)
Bell-LaPadula
Elements of Access Control
a set of subjects Sa set of objects Oset of access operations A = {execute,read,append,write}A set of security levels L, with a partial ordering ≤
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 9 / 32
![Page 12: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/12.jpg)
Bell-LaPadula
The State Set
A state : (b, M, f ), includesAccess operations currently in use b
List of tuples (s, o, a), s ∈ S, o ∈ O, a ∈ A.Access permission matrix
M = (Ms,o)s∈S,o∈O , where Ms,o ⊂ AClearance and classification f = (fS, fC , fO)
fS : S → L maximal security level of a subjectfC : S → L current security level of a subject (fC ≤ fS)fO : O → L classification of an object
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 10 / 32
![Page 13: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/13.jpg)
Security Properties
Outline
1 The session
2 Finite Automata
3 Bell-LaPadula
4 Security Properties
5 Limitations
6 Multics
7 Conclusion
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 11 / 32
![Page 14: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/14.jpg)
Security Properties
Simple Security Property (SS-property)
A state (b, M, f ) satisfies the SS-property if∀(s, o, a) ∈ b, such that a ∈ {read,write}fO(o) ≤ fS(s)
I.e. a subject can only observe objects of lower classification
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 12 / 32
![Page 15: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/15.jpg)
Security Properties
What about write access?
What policy do we need for write access?Integrity: no write-up (to higher security levels)Confidentiality: no write-down (to lower security levels)Bell-LaPadula concerns confidentialitySubject must not transmit messages to subjects at lower levelsCurrent security level allows communications
A subject has to be downgraded to send messagesBecause subjects are computer programs
they can be made to forget their knowledge when downgraded
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 13 / 32
![Page 16: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/16.jpg)
Security Properties
What about write access?
What policy do we need for write access?Integrity: no write-up (to higher security levels)Confidentiality: no write-down (to lower security levels)Bell-LaPadula concerns confidentialitySubject must not transmit messages to subjects at lower levelsCurrent security level allows communications
A subject has to be downgraded to send messagesBecause subjects are computer programs
they can be made to forget their knowledge when downgraded
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 13 / 32
![Page 17: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/17.jpg)
Security Properties
What about write access?
What policy do we need for write access?Integrity: no write-up (to higher security levels)Confidentiality: no write-down (to lower security levels)Bell-LaPadula concerns confidentialitySubject must not transmit messages to subjects at lower levelsCurrent security level allows communications
A subject has to be downgraded to send messagesBecause subjects are computer programs
they can be made to forget their knowledge when downgraded
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 13 / 32
![Page 18: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/18.jpg)
Security Properties
What about write access?
What policy do we need for write access?Integrity: no write-up (to higher security levels)Confidentiality: no write-down (to lower security levels)Bell-LaPadula concerns confidentialitySubject must not transmit messages to subjects at lower levelsCurrent security level allows communications
A subject has to be downgraded to send messagesBecause subjects are computer programs
they can be made to forget their knowledge when downgraded
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 13 / 32
![Page 19: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/19.jpg)
Security Properties
What about write access?
What policy do we need for write access?Integrity: no write-up (to higher security levels)Confidentiality: no write-down (to lower security levels)Bell-LaPadula concerns confidentialitySubject must not transmit messages to subjects at lower levelsCurrent security level allows communications
A subject has to be downgraded to send messagesBecause subjects are computer programs
they can be made to forget their knowledge when downgraded
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 13 / 32
![Page 20: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/20.jpg)
Security Properties
What about write access?
What policy do we need for write access?Integrity: no write-up (to higher security levels)Confidentiality: no write-down (to lower security levels)Bell-LaPadula concerns confidentialitySubject must not transmit messages to subjects at lower levelsCurrent security level allows communications
A subject has to be downgraded to send messagesBecause subjects are computer programs
they can be made to forget their knowledge when downgraded
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 13 / 32
![Page 21: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/21.jpg)
Security Properties
*-property
A state (b, M, f ) satisfies the *-property if∀(s, o, a) ∈ b, such that a ∈ {append,write}fC(s) ≤ fO(o)
andif ∃(s, o, a) ∈ b where a ∈ {append,write},then ∀o′, a′ ∈ {read,write}, such that (s, o′, a′) ∈ bfO(o′) ≤ fO(o)
I.e. a subject can only alter objects of higher classification,and cannot read a high-level object while writing to a low-levelobject.
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 14 / 32
![Page 22: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/22.jpg)
Security Properties
Discretionary Security Property
Previous security properties provide Mandatory Access Controli.e. a centrally defined access policy
The security levels are defined by a central policyDiscreationary Access Control (DAC) decentralises the controlThe access control matrix M allows DAC in Bell-LaPadula
A state (b, M, f ) satisfies the DS-property if∀(s, o, a) ∈ ba ∈ Ms,o.
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 15 / 32
![Page 23: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/23.jpg)
Security Properties
Discretionary Security Property
Previous security properties provide Mandatory Access Controli.e. a centrally defined access policy
The security levels are defined by a central policyDiscreationary Access Control (DAC) decentralises the controlThe access control matrix M allows DAC in Bell-LaPadula
A state (b, M, f ) satisfies the DS-property if∀(s, o, a) ∈ ba ∈ Ms,o.
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 15 / 32
![Page 24: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/24.jpg)
Security Properties
Discretionary Security Property
Previous security properties provide Mandatory Access Controli.e. a centrally defined access policy
The security levels are defined by a central policyDiscreationary Access Control (DAC) decentralises the controlThe access control matrix M allows DAC in Bell-LaPadula
A state (b, M, f ) satisfies the DS-property if∀(s, o, a) ∈ ba ∈ Ms,o.
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 15 / 32
![Page 25: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/25.jpg)
Security Properties
Discretionary Security Property
Previous security properties provide Mandatory Access Controli.e. a centrally defined access policy
The security levels are defined by a central policyDiscreationary Access Control (DAC) decentralises the controlThe access control matrix M allows DAC in Bell-LaPadula
A state (b, M, f ) satisfies the DS-property if∀(s, o, a) ∈ ba ∈ Ms,o.
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 15 / 32
![Page 26: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/26.jpg)
Limitations
Outline
1 The session
2 Finite Automata
3 Bell-LaPadula
4 Security Properties
5 Limitations
6 Multics
7 Conclusion
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 16 / 32
![Page 27: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/27.jpg)
Limitations
The Criticism of McLean
What happens if we . . .downgrade all subjects to lowest security leveldowngrade all objects to lowest security levelenter all access rights in the ACM M
Is the system secure?It satisfies every security property of BLP!
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 17 / 32
![Page 28: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/28.jpg)
Limitations
The Criticism of McLean
What happens if we . . .downgrade all subjects to lowest security leveldowngrade all objects to lowest security levelenter all access rights in the ACM M
Is the system secure?It satisfies every security property of BLP!
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 17 / 32
![Page 29: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/29.jpg)
Limitations
The sides of the conflict
A system which can be brought to a state with norestrictions cannot be secure.
McLean
This is application dependent. If the users need it, itshould be possible. Otherwise it should not be implemented.
Bell
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 18 / 32
![Page 30: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/30.jpg)
Limitations
Tranquility
McLean’s scenario is really out of scope for BLPBLP considered tranquil systems,
where permissions do not changeEither a system or an operation may be tranquil
A tranquil operation does not change access rights.A tranquil system has no non-tranquil operations.
Tranquility is a particular concern whenoperation tries to remove an access right currently in useHow should this be resolved?
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 19 / 32
![Page 31: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/31.jpg)
Limitations
Covert Channels
Low-level subject sl creates object oHigh-level accomplice sh either
reclassifies o to its own level (Message 1)leaves o unchanged (Message 0)
sl tries to access o, which is eithersuccess (Message 0)access denied (Message 1)
One bit of information is transmitted sh → sl
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 20 / 32
![Page 32: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/32.jpg)
Limitations
Covert Channels
Low-level subject sl creates object oHigh-level accomplice sh either
reclassifies o to its own level (Message 1)leaves o unchanged (Message 0)
sl tries to access o, which is eithersuccess (Message 0)access denied (Message 1)
One bit of information is transmitted sh → sl
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 20 / 32
![Page 33: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/33.jpg)
Limitations
Covert Channels
Low-level subject sl creates object oHigh-level accomplice sh either
reclassifies o to its own level (Message 1)leaves o unchanged (Message 0)
sl tries to access o, which is eithersuccess (Message 0)access denied (Message 1)
One bit of information is transmitted sh → sl
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 20 / 32
![Page 34: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/34.jpg)
Limitations
Covert Channels
Low-level subject sl creates object oHigh-level accomplice sh either
reclassifies o to its own level (Message 1)leaves o unchanged (Message 0)
sl tries to access o, which is eithersuccess (Message 0)access denied (Message 1)
One bit of information is transmitted sh → sl
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 20 / 32
![Page 35: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/35.jpg)
Limitations
Limitations
BLP’s concern is confidentialitylimits the access and sharing of informationno integrity policyno availability policy
BLP assumes a fixed rightsassumes tranquilityno model for access managementno model for policy making
Allows Covert Channels
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 21 / 32
![Page 36: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/36.jpg)
Multics
Outline
1 The session
2 Finite Automata
3 Bell-LaPadula
4 Security Properties
5 Limitations
6 Multics
7 Conclusion
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 22 / 32
![Page 37: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/37.jpg)
Multics
What and when was Multics?
Massive research project in early 70-sObjective: Secure, reliable, etc multiuser OS
i.e. Multics
The Bell-LaPadula model was a result of the researchThe ambitions made Multics too heavy-weight for most
Unix is a spin-off by some project memberssimpler and more user-friendly,
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 23 / 32
![Page 38: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/38.jpg)
Multics
Objects
Objects : memory segments, I/O devices, et c.hierarchically organised in directory treeinformation stored in parent directory
Access Control List (ACL) representing MSecurity level (classification) fO
Access to an object traverses path from rootAccess requires access to all ancestorsLow-level object in high-level directory makes little sense
Compatibility: Every object has security-level dominating that ofthe parent directory
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 24 / 32
![Page 39: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/39.jpg)
Multics
Objects
Objects : memory segments, I/O devices, et c.hierarchically organised in directory treeinformation stored in parent directory
Access Control List (ACL) representing MSecurity level (classification) fO
Access to an object traverses path from rootAccess requires access to all ancestorsLow-level object in high-level directory makes little sense
Compatibility: Every object has security-level dominating that ofthe parent directory
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 24 / 32
![Page 40: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/40.jpg)
Multics
Objects
Objects : memory segments, I/O devices, et c.hierarchically organised in directory treeinformation stored in parent directory
Access Control List (ACL) representing MSecurity level (classification) fO
Access to an object traverses path from rootAccess requires access to all ancestorsLow-level object in high-level directory makes little sense
Compatibility: Every object has security-level dominating that ofthe parent directory
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 24 / 32
![Page 41: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/41.jpg)
Multics
Subjects
Subject = processDescriptor segment describes the process, its rights, and itsaccessesSegment Descriptor Word (SDW) [representing b] for each objectcurrently accessed
segment-id ptr r: on e: off w: one
fC : Current-level tablefS : Process-level tableactive segment table : which processes are active
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 25 / 32
![Page 42: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/42.jpg)
Multics
Translating policies
Every parameter of the BLP statehas a representation in Multics data fields
Security policies can be rephrased,referring to Multics data fields
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 26 / 32
![Page 43: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/43.jpg)
Multics
Translating policies
Every parameter of the BLP statehas a representation in Multics data fields
Security policies can be rephrased,referring to Multics data fields
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 26 / 32
![Page 44: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/44.jpg)
Multics
Example: The SS-property
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 27 / 32
![Page 45: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/45.jpg)
Multics
Kernel primitives
Kernel primitives ∼ state transitionsrelease_readgive_readcreate_objectdelete_objectrevoke_readchange_subject_current_security_level
Ideally CPU instructions and OS kernel primitives match
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 28 / 32
![Page 46: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/46.jpg)
Multics
Kernel primitive: get_read
Example: get_readSubject s wants to read object oso s asks OS to add (s, o,read) to b
The OS has to check this with the security policy, i.e.The ACL of o includes (s,read)fO(o) ≤ fS(s)Either
fO(o) ≤ fC(s); orSubject s is trusted.
Access permitted if and only if all three conditions are met.
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 29 / 32
![Page 47: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/47.jpg)
Conclusion
Outline
1 The session
2 Finite Automata
3 Bell-LaPadula
4 Security Properties
5 Limitations
6 Multics
7 Conclusion
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 30 / 32
![Page 48: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/48.jpg)
Conclusion
Multics and security models
The state-machine is an effective model of a computer systemBell-LaPadula describes secure states and transisionsIf all transitions (and starting state) are secure, the system has tobe secureIn multics,
data-fields correspond to state parameterskernel primitives correspond to transitions
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 31 / 32
![Page 49: The Bell-LaPadula Model - University of Surrey...Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that](https://reader036.vdocuments.mx/reader036/viewer/2022071218/605089b6d1ddc45be160f543/html5/thumbnails/49.jpg)
Conclusion
Exercise sheet
Write a short essay stating your position in the Bell vs McLeandebate.
It is helpful to address as many of the strengths and weeknesses ofBLP as possible, in order to build an argument for your view.Suggested length 1
2 -2 pages. Longer is not necessarily better.
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 32 / 32