Security Models

Computer Security Lecture 7

David Aspinall

School of Informatics
University of Edinburgh

28th January 2008

Outline

Access and information flow

Access control mechanisms

Security levels

The BLP security model

Outline

Access and information flow

Access control mechanisms

Security levels

The BLP security model

Controlling access or information flow
A security policy describes requirements for a system.
A security model is a way of formalizing a policy.
Controlling access or information flow
A security policy describes requirements for a system.
A security model is a way of formalizing a policy.
There are two basic paradigms:
Controlling access or information flow
A security policy describes requirements for a system.
A security model is a way of formalizing a policy.
There are two basic paradigms:
access control: a guard controls whether a
principal (the subject) is allowed access to a
resource (the object).
Access Reference
Subject Object
request monitor
| {z }| {z }
Authentication Authorization
Controlling access or information flow
A security policy describes requirements for a system.
A security model is a way of formalizing a policy.
There are two basic paradigms:
access control: a guard controls whether a
principal (the subject) is allowed access to a
resource (the object).
Access Reference
Subject Object
request monitor
| {z }| {z }
Authentication Authorization

information flow control: dual notion sometimes

used when confidentiality is the primary concern. A
guard controls whether information may flow from
a resource to a principal.
Reference
Object Subject
monitor
| {z }
| {z }
Authorization
Authentication
Access operations
We can consider some fundamental access
modes. Typically:
observe examine contents of an object
alter change contents of an object
Access operations
We can consider some fundamental access
modes. Typically:
observe examine contents of an object
alter change contents of an object
Next we define access rights and their profiles:
exec read append write
observe
alter
These are the access rights of the influential
Bell-LaPadula (BLP) model. Access rights are the
models level of granularity for defining security
policy. Each real operation requires particular
access rights.
Access operations
We can consider some fundamental access
modes. Typically:
observe examine contents of an object
alter change contents of an object
Next we define access rights and their profiles:
exec read append write
observe
alter
These are the access rights of the influential
Bell-LaPadula (BLP) model. Access rights are the
models level of granularity for defining security
policy. Each real operation requires particular
access rights.
Profiles and names of rights differ between
systems, or even for different subject kinds. E.g.,
sometimes have a delete. In Unix, exec for
directories indicates ability to read the directory.
Ownership and identity
Who may set the security policy? A resource may
have a owner who controls access on a
case-by-case basis, or the resource may be
controlled by a uniform system-wide policy.
Ownership and identity
Who may set the security policy? A resource may
have a owner who controls access on a
case-by-case basis, or the resource may be
controlled by a uniform system-wide policy.
Ownership and identity
Who may set the security policy? A resource may
have a owner who controls access on a
case-by-case basis, or the resource may be
controlled by a uniform system-wide policy.
discretionary access control (DAC):
owners decide who may access their objects

A mixture of both may apply.

Ownership and identity
Who may set the security policy? A resource may
have a owner who controls access on a
case-by-case basis, or the resource may be
controlled by a uniform system-wide policy.
discretionary access control (DAC):
owners decide who may access their objects
mandatory access control (MAC):
policy set system-wide
A mixture of both may apply.
Ownership and identity
Who may set the security policy? A resource may
have a owner who controls access on a
case-by-case basis, or the resource may be
controlled by a uniform system-wide policy.
discretionary access control (DAC):
owners decide who may access their objects
mandatory access control (MAC):
policy set system-wide
A mixture of both may apply.
Owners of resources may be principals in the
system: subjects themselves under access control.
BLP does not (directly) consider operations to
modify access controls (e.g., chown in Windows),
nor explain when such operations are safe.
Ownership and identity
Who may set the security policy? A resource may
have a owner who controls access on a
case-by-case basis, or the resource may be
controlled by a uniform system-wide policy.
discretionary access control (DAC):
owners decide who may access their objects
mandatory access control (MAC):
policy set system-wide
A mixture of both may apply.
Owners of resources may be principals in the
system: subjects themselves under access control.
BLP does not (directly) consider operations to
modify access controls (e.g., chown in Windows),
nor explain when such operations are safe.
The identity of subjects is also flexible: e.g.,
identity changes during operations (SUID programs
in Unix). Again, this doesnt fit BLP.
Outline

Access and information flow

Access control mechanisms

Security levels

The BLP security model

Access control structures
How are access control rights defined? Many
schemes, but ultimately modelled by:
Access control structures
How are access control rights defined? Many
schemes, but ultimately modelled by:
A set S of subjects, a set O of objects
Access control structures
How are access control rights defined? Many
schemes, but ultimately modelled by:
A set S of subjects, a set O of objects
A set A of operations (modelled by access rights),
well consider A = {exec, read, append, write}.
Access control structures
How are access control rights defined? Many
schemes, but ultimately modelled by:
A set S of subjects, a set O of objects
A set A of operations (modelled by access rights),
well consider A = {exec, read, append, write}.
An access control matrix

M = (Mso )sS,oO

where each entry Mso A defines rights for s to

access o.
Access control structures
How are access control rights defined? Many
schemes, but ultimately modelled by:
A set S of subjects, a set O of objects
A set A of operations (modelled by access rights),
well consider A = {exec, read, append, write}.
An access control matrix

M = (Mso )sS,oO

where each entry Mso A defines rights for s to

access o.
Example matrix for S = {Alice, Bob} and three
objects:

bob.doc edit.exe fun.com

Alice {} {exec} {exec, read}
Bob {read, write} {exec} {exec, read, write}
Representing the access control matrix
Implementing M directly is impractical, so different
schemes are used. Complementary possibilities:
either use capabilities (store M by rows) or use
access control lists (store M by columns)
Representing the access control matrix
Implementing M directly is impractical, so different
schemes are used. Complementary possibilities:
either use capabilities (store M by rows) or use
access control lists (store M by columns)
A capability is an unforgeable token that specifies
a subjects access rights. Pros: can pass around
capabilities; good fit with discr. AC. Cons: difficult to
revoke, or find out who has, access to a particular
resource (must examine all capabilities). Interest
reinstated recently with distributed and mobile
computation.
Representing the access control matrix
Implementing M directly is impractical, so different
schemes are used. Complementary possibilities:
either use capabilities (store M by rows) or use
access control lists (store M by columns)
A capability is an unforgeable token that specifies
a subjects access rights. Pros: can pass around
capabilities; good fit with discr. AC. Cons: difficult to
revoke, or find out who has, access to a particular
resource (must examine all capabilities). Interest
reinstated recently with distributed and mobile
computation.
An access control list (ACL) stores the access
rights to an object with the object itself. Pros: good
fit with object-biased OSes. Cons: difficult to
revoke, or find out, permissions of a particular
subject (must search all ACLs).
Outline

Access and information flow

Access control mechanisms

Security levels

The BLP security model

Security levels
Multi Level Security (MLS) systems originated in
the military. A security level is a label for subjects
and objects, to describe a policy.
Security levels
Multi Level Security (MLS) systems originated in
the military. A security level is a label for subjects
and objects, to describe a policy.
Security levels are ordered:

unclassified confidential secret topsecret.

Security levels
Multi Level Security (MLS) systems originated in
the military. A security level is a label for subjects
and objects, to describe a policy.
Security levels are ordered:

unclassified confidential secret topsecret.

Ordering can express policies like no write-down

which means that a high-level subject cannot write
down to a low-level object. (A user with confidential
clearance cannot write an unclassified file: it might
contain confidential information read earlier.)
Security levels
Multi Level Security (MLS) systems originated in
the military. A security level is a label for subjects
and objects, to describe a policy.
Security levels are ordered:

unclassified confidential secret topsecret.

Ordering can express policies like no write-down

which means that a high-level subject cannot write
down to a low-level object. (A user with confidential
clearance cannot write an unclassified file: it might
contain confidential information read earlier.)
In practice, we need more flexibility. We may want
categorizations as well, for example, describing
departments or divisions in an organization. Then
individual levels may not be comparable. . .
Security lattices

A lattice is a set L equipped with a partial ordering

such every two elements a, b L has a least
upper bound a b and a greatest lower bound a b.
A finite lattice must have top and bottom elements.
Security lattices

A lattice is a set L equipped with a partial ordering

such every two elements a, b L has a least
upper bound a b and a greatest lower bound a b.
A finite lattice must have top and bottom elements.
In security, if a b, we say that b dominates a.
The bottom level dominated by all others is system
low; the top level which dominates all others is
system high.
Security lattices

A lattice is a set L equipped with a partial ordering

such every two elements a, b L has a least
upper bound a b and a greatest lower bound a b.
A finite lattice must have top and bottom elements.
In security, if a b, we say that b dominates a.
The bottom level dominated by all others is system
low; the top level which dominates all others is
system high.
Lattices are used for MLS policies because they
allow an ordering where:
Security lattices

A lattice is a set L equipped with a partial ordering

such every two elements a, b L has a least
upper bound a b and a greatest lower bound a b.
A finite lattice must have top and bottom elements.
In security, if a b, we say that b dominates a.
The bottom level dominated by all others is system
low; the top level which dominates all others is
system high.
Lattices are used for MLS policies because they
allow an ordering where:
Security lattices

A lattice is a set L equipped with a partial ordering

such every two elements a, b L has a least
upper bound a b and a greatest lower bound a b.
A finite lattice must have top and bottom elements.
In security, if a b, we say that b dominates a.
The bottom level dominated by all others is system
low; the top level which dominates all others is
system high.
Lattices are used for MLS policies because they
allow an ordering where:
given two objects at different levels a and b, there is
a minimal security level a b needed to access both
a and b;
Security lattices

A lattice is a set L equipped with a partial ordering

such every two elements a, b L has a least
upper bound a b and a greatest lower bound a b.
A finite lattice must have top and bottom elements.
In security, if a b, we say that b dominates a.
The bottom level dominated by all others is system
low; the top level which dominates all others is
system high.
Lattices are used for MLS policies because they
allow an ordering where:
given two objects at different levels a and b, there is
a minimal security level a b needed to access both
a and b;
given two subjects at different levels a and b, there
is a maximal security level a b for an object which
must be readable by both.
An Example Lattice [Gollmann]
A standard construction is to take a set of
classifications H, with a linear ordering H , together
with a set C of categories. Define a compartment as a
set of categories, and then a security level as a pair
(h, c) where h H and c C. Then the ordering
(h1 , c1 ) (h2 , c2 ) h1 h2 , c1 c2 defines a lattice.

private,{personnel,engineering}

private,{personnel} private,{engineering}

private,{}

public,{personnel,engineering}

public,{personnel} public,{engineering}

public,{}
Outline

Access and information flow

Access control mechanisms

Security levels

The BLP security model

Bell-LaPadula Model (BLP)

BLP (1973) is state machine model for

confidentiality.
Bell-LaPadula Model (BLP)

BLP (1973) is state machine model for

confidentiality.
Permissions use an AC matrix and security levels.
The security policy prevents information flowing
from a high level to a lower level.
Bell-LaPadula Model (BLP)

BLP (1973) is state machine model for

confidentiality.
Permissions use an AC matrix and security levels.
The security policy prevents information flowing
from a high level to a lower level.
Assume subjects S, objects O, accesses A as before.
Bell-LaPadula Model (BLP)

BLP (1973) is state machine model for

confidentiality.
Permissions use an AC matrix and security levels.
The security policy prevents information flowing
from a high level to a lower level.
Assume subjects S, objects O, accesses A as before.
A set L of security levels, with a partial ordering .
Bell-LaPadula Model (BLP)

BLP (1973) is state machine model for

confidentiality.
Permissions use an AC matrix and security levels.
The security policy prevents information flowing
from a high level to a lower level.
Assume subjects S, objects O, accesses A as before.
A set L of security levels, with a partial ordering .
The state set B M F captures the current
permissions and subjects accessing objects. It has
three parts:
Bell-LaPadula Model (BLP)

BLP (1973) is state machine model for

confidentiality.
Permissions use an AC matrix and security levels.
The security policy prevents information flowing
from a high level to a lower level.
Assume subjects S, objects O, accesses A as before.
A set L of security levels, with a partial ordering .
The state set B M F captures the current
permissions and subjects accessing objects. It has
three parts:
B possible current accesses
Bell-LaPadula Model (BLP)

BLP (1973) is state machine model for

confidentiality.
Permissions use an AC matrix and security levels.
The security policy prevents information flowing
from a high level to a lower level.
Assume subjects S, objects O, accesses A as before.
A set L of security levels, with a partial ordering .
The state set B M F captures the current
permissions and subjects accessing objects. It has
three parts:
B possible current accesses
M permissions matrices
Bell-LaPadula Model (BLP)

BLP (1973) is state machine model for

confidentiality.
Permissions use an AC matrix and security levels.
The security policy prevents information flowing
from a high level to a lower level.
Assume subjects S, objects O, accesses A as before.
A set L of security levels, with a partial ordering .
The state set B M F captures the current
permissions and subjects accessing objects. It has
three parts:
B possible current accesses
M permissions matrices
F security level assignments
Bell-LaPadula Model (BLP)

BLP (1973) is state machine model for

confidentiality.
Permissions use an AC matrix and security levels.
The security policy prevents information flowing
from a high level to a lower level.
Assume subjects S, objects O, accesses A as before.
A set L of security levels, with a partial ordering .
The state set B M F captures the current
permissions and subjects accessing objects. It has
three parts:
B possible current accesses
M permissions matrices
F security level assignments
A BLP state is a triple (b, M, f ).
BLP state set

B = P (S O A) is the set of all possible current

accesses.
An element b B is a set of tuples (s, o, a) meaning
s is performing operation a on an object o.
BLP state set

B = P (S O A) is the set of all possible current

accesses.
An element b B is a set of tuples (s, o, a) meaning
s is performing operation a on an object o.
M is the set of permission matrices
M = (Mso )sS,oO.
BLP state set

B = P (S O A) is the set of all possible current

accesses.
An element b B is a set of tuples (s, o, a) meaning
s is performing operation a on an object o.
M is the set of permission matrices
M = (Mso )sS,oO.
F LS LS LO is the set of security level
assignments.
An element f F is a triple (fS , fC , fO ) where
BLP state set

B = P (S O A) is the set of all possible current

accesses.
An element b B is a set of tuples (s, o, a) meaning
s is performing operation a on an object o.
M is the set of permission matrices
M = (Mso )sS,oO.
F LS LS LO is the set of security level
assignments.
An element f F is a triple (fS , fC , fO ) where
fS : S L gives the maximal security level each
subject can have;
BLP state set

B = P (S O A) is the set of all possible current

accesses.
An element b B is a set of tuples (s, o, a) meaning
s is performing operation a on an object o.
M is the set of permission matrices
M = (Mso )sS,oO.
F LS LS LO is the set of security level
assignments.
An element f F is a triple (fS , fC , fO ) where
fS : S L gives the maximal security level each
subject can have;
fC : S L gives the current security level of each
subject (st fC fS ), and
BLP state set

B = P (S O A) is the set of all possible current

accesses.
An element b B is a set of tuples (s, o, a) meaning
s is performing operation a on an object o.
M is the set of permission matrices
M = (Mso )sS,oO.
F LS LS LO is the set of security level
assignments.
An element f F is a triple (fS , fC , fO ) where
fS : S L gives the maximal security level each
subject can have;
fC : S L gives the current security level of each
subject (st fC fS ), and
fO : O L gives the classification of all objects.
BLP Mandatory Access Control Policy
Consider a state (b, M, f ), where b is the set of current
accesses.
BLP Mandatory Access Control Policy
Consider a state (b, M, f ), where b is the set of current
accesses.

Simple security property

The ss-property states for each access (s, o, a) b
where a {read, write}, then fO (o) fS (s) (no read-up).

Star property
The -property states for each access (s, o, a) b
where a {append, write}, then fC (s) fO (o) (no
write-down) and moreover, we must have fO (o ) fO (o)
for all o with (s, o , a ) b and a {read, write} (o
must dominate any other object s can read).
BLP Mandatory Access Control Policy
Consider a state (b, M, f ), where b is the set of current
accesses.

Simple security property

The ss-property states for each access (s, o, a) b
where a {read, write}, then fO (o) fS (s) (no read-up).

Star property
The -property states for each access (s, o, a) b
where a {append, write}, then fC (s) fO (o) (no
write-down) and moreover, we must have fO (o ) fO (o)
for all o with (s, o , a ) b and a {read, write} (o
must dominate any other object s can read).

Together these form the mandatory access control

policy for BLP.
BLP Discretionary Control and Security

The access control matrix M allows DAC as well.

Discretionary security property

The ds-property: for each access (s, o, a) b, we have
that a Mso (discretionary access controls are obeyed).
BLP Discretionary Control and Security

The access control matrix M allows DAC as well.

Discretionary security property

The ds-property: for each access (s, o, a) b, we have
that a Mso (discretionary access controls are obeyed).

Definition of Security: The state (b, M, f ) is

secure if the three properties above are satisfied.

Notice that BLPs notion of security is entirely captured

in the current state.
Current clearance level
Unfortunately, the -property means a high-level
subject cannot send messages to a low-level
subject. This is unrealistic!
Current clearance level
Unfortunately, the -property means a high-level
subject cannot send messages to a low-level
subject. This is unrealistic!
There are two ways out:
Current clearance level
Unfortunately, the -property means a high-level
subject cannot send messages to a low-level
subject. This is unrealistic!
There are two ways out:
1. temporarily downgrade a high-level subject, which
is why the model includes the current clearance
level setting fC , or
Current clearance level
Unfortunately, the -property means a high-level
subject cannot send messages to a low-level
subject. This is unrealistic!
There are two ways out:
1. temporarily downgrade a high-level subject, which
is why the model includes the current clearance
level setting fC , or
2. identify a set of trusted subjects allowed to
violate the -property.
Current clearance level
Unfortunately, the -property means a high-level
subject cannot send messages to a low-level
subject. This is unrealistic!
There are two ways out:
1. temporarily downgrade a high-level subject, which
is why the model includes the current clearance
level setting fC , or
2. identify a set of trusted subjects allowed to
violate the -property.
Approach 1 works because the current state
describes exactly what each subject knows. So if a
subject (e.g. a process) is downgraded, it cannot
access higher-level material, so may safely write at
any lower level than its maximum.
Current clearance level
Unfortunately, the -property means a high-level
subject cannot send messages to a low-level
subject. This is unrealistic!
There are two ways out:
1. temporarily downgrade a high-level subject, which
is why the model includes the current clearance
level setting fC , or
2. identify a set of trusted subjects allowed to
violate the -property.
Approach 1 works because the current state
describes exactly what each subject knows. So if a
subject (e.g. a process) is downgraded, it cannot
access higher-level material, so may safely write at
any lower level than its maximum.
When subjects are people with high-level
clearances, approach 2 works: we trust someone to
violate the property in the model, e.g., by
publishing part of a secret document.
Basic security theorem
A transition from state v1 to v2 is secure simply if
both states v1 and v2 are secure.
Basic security theorem
A transition from state v1 to v2 is secure simply if
both states v1 and v2 are secure.
This leads to a rather simple and general theorem:
Basic security theorem
A transition from state v1 to v2 is secure simply if
both states v1 and v2 are secure.
This leads to a rather simple and general theorem:
Basic security theorem
If all state transitions in a system are secure and the
initial state of the system is secure, then every
subsequent state is also secure.
Basic security theorem
A transition from state v1 to v2 is secure simply if
both states v1 and v2 are secure.
This leads to a rather simple and general theorem:
Basic security theorem
If all state transitions in a system are secure and the
initial state of the system is secure, then every
subsequent state is also secure.
Basic security theorem
A transition from state v1 to v2 is secure simply if
both states v1 and v2 are secure.
This leads to a rather simple and general theorem:
Basic security theorem
If all state transitions in a system are secure and the
initial state of the system is secure, then every
subsequent state is also secure.

(NB: this follows immediately by induction, it has

nothing to do with the properties of BLP!)
The point: we can reduce checking the system for
all possible inputs to checking that each kind of
possible state transition preserves security. Of
course, to do this we need a concrete instance of
the model which describes possible transitions.
References

See Ch 35 of Gollmann, Ch 79 of Anderson and

Parts 23 of Bishop.
Ross Anderson. Security Engineering: A
Comprehensive Guide to Building Dependable
Distributed Systems.
Wiley & Sons, 2001.
Matt Bishop. Computer Security: Art and Science.
Addison-Wesley, 2003.
Dieter Gollmann. Computer Security.
John Wiley & Sons, second edition, 2006.
Recommended Reading
Chapters 3-4 of Gollmann.