2013-02-15

 Bell-LaPadula model  Demonstrate how security policies can be expressed in

 Biba model a formal way.
 (Clark-Wilson model)  Give some history of computer security
 Chinese Wall model  Understand the limitations of various models

EIT060 - Computer Security 1 EIT060 - Computer Security 2

 State – Representation of the system at some given time  Most famous security model
 State transition – next state depends on current state + input.  First developed around 1973
 Idea: If we start in a secure state and all state transitions  ”Unified exposition and Multics interpretation”, 1976
preserve security, then the system will be secure.
 Focus on confidentiality, not integrity
 Based on state transitions
Question 1:
What is a state?
 Both mandatory and discretionary access control
◦ Multilevel security
◦ Access control matrix
Question 2:
What is a secure state?

EIT060 - Computer Security 3 EIT060 - Computer Security 4

1
 2013-02-15

 Set of subjects S  Multilevel security

Top Secret
 Set of objects O  Categories
 Set of access operations A {Admin, Lecturer, Students} Secret

◦ execute, read, append, write  Security level given by pair Confidential

Execute Append Read Write (Classification, Set of categories)
Observe X X
Alter X X
 Partial ordering: Unclassified
 Set of security levels L with partial ordering ≤
(h1,c1) ≤ (h2 ,c2) if and only if h1 ≤ h2 and c1 ⊆ c2
 Functions
◦ fS: S → L, maximum security level
 Security level (h2 ,c2) dominates (h1,c1)
◦ fC: S → L, current security level
◦ fO: O → L, security level of object

EIT060 - Computer Security 5 EIT060 - Computer Security 6

The state consists of three parts (in our book)  We have a system with 5 subjects and 5 objects, 2
classifications and 2 categories
1. Current access operation given by a set of (s,o,a) tuples ◦ Subjects: Alice, Bob, Charlie, David, Erika
◦ An element of the powerset P(S ☓ O ☓ A) ◦ Objects: file_a, file_b, file_c, file_d, file_e
◦ Can be written as matrix b.
◦ Classifications : public, private
◦ s is row, o is column, a is current access operation
◦ Categories: A, B
2. Access matrix given by M
3. Functions f = (fS, fC, fO)
 State is given by ( b, M, f )

 Note: Usually the set of all objects is also a part of the state,
but our book ignores this

EIT060 - Computer Security 7 EIT060 - Computer Security 8

2
 2013-02-15

Access Control Matrix M  Simple Security Property Observe

Execute Append Read
X
Write
X

Current access set b file_a file_b file_c file_d file_e  Mandatory access control Alter X X

(Alice, file_b, r) Alice r,w,a e a

(David, file_c, w) Bob a r,e
Charlie r r a State (b,M,f) satisfies the ss-property if
(Erika, file_a, a)
David r,w,a r,w,a
Erika a e for each element (s,o,a) ∈ b where the
access operation a is read or write, the
Functions f = (fS, fC, fO)
security level of s dominates security
fS : level of o, i.e., fO(o) ≤ fS(s)
Alice: (private, {A}), Bob: (public, {A,B}), Charlie: (public, {B}), David: (private, {A,B}), Erika: (public, {A})
fC :
Alice: (private, {A}), Bob: (public, {A,B}), Charlie: (public, {B}), David: (public, {A,B}), Erika: (public, {A})
fO :  No read-up – A user is not allowed read (observe) access to
file_a: (private, {A}), file_b: (private, {∅}), file_c: (public, {A,B}), file_d: (public, {A}), file_e: (private, {A,B})
objects with higher security level
State is given by (b,M,f)

EIT060 - Computer Security 9 EIT060 - Computer Security 10

Access Control Matrix M

Current access set b file_a file_b file_c file_d file_e  A subject can append to any object with higher security
(Alice, file_b, r) Alice r,w,a e a level than the subject.
Bob a r,e
(David, file_c, w) Charlie r r a  We do not allow information to flow downwards.
(Erika, file_a, a) David
Erika a
r,w,a
e
r,w,a
◦ Easy way: A subject can not send any information to an object
with lower security level – Not practical
Functions f = (fS, fC, fO) ◦ Better solution:
fS :
Alice: (private, {A}), Bob: (public, {A,B}), Charlie: (public, {B}), David: (private, {A,B}), Erika: (public, {A})  Possible to temporarily downgrade a subject – the reason to
fC : introduce fC(s)
Alice: (private, {A}), Bob: (public, {A,B}), Charlie: (public, {B}), David: (public, {A,B}), Erika: (public, {A})
fO :  Let trusted subjects send information downwards
file_a: (private, {A}), file_b: (private, {∅}), file_c: (public, {A,B}), file_d: (public, {A}), file_e: (private, {A,B})
 Note that we assume that a subject does not have an
internal memory – We have to see it as a process, not a
According to ss-property: human being
 Alice is allowed to read file_b since f O(file_b) ≤ fS(Alice)
◦ Only know the contents of the objects it is currently accessing
 David is allowed write access to file_c since f O(file_c) ≤ fS(David)

EIT060 - Computer Security 11 EIT060 - Computer Security 12

3
 2013-02-15

Access Control Matrix M

 Star-Property Execute Append Read Write
Current access set b file_a file_b file_c file_d file_e
Observe X X
 Mandatory access control Alter X X (Alice, file_b, r) Alice
Bob
r,w,a
a
e
r,e
a

(David, file_c, w)
 Does not apply to trusted subjects (Erika, file_a, a)
Charlie r r a
David r,w,a r,w,a
Erika a e
State (b,M,f) satisfies the *-property if for each
element (s,o,a) ∈ b where the access operation a Functions f = (fS, fC, fO)
fS :
is append or write, the current security level of s Alice: (private, {A}), Bob: (public, {A,B}), Charlie: (public, {B}), David: (private, {A,B}), Erika: (public, {A})
is dominated by the security level of o, i.e., fC(s) fC :
≤ fO(o) Alice: (private, {A}), Bob: (public, {A,B}), Charlie: (public, {B}), David: (public, {A,B}), Erika: (public, {A})
fO :
file_a: (private, {A}), file_b: (private, {∅}), file_c: (public, {A,B}), file_d: (public, {A}), file_e: (private, {A,B})

 No write-down – A user is not allowed write (alter) access to According to *-property:

object with lower security level than the current security level  David is allowed write access to file_c since f C(David) ≤ fO(file_c)
of subject  Erika is allowed append access to file_a since f C(Erika) ≤ fO(file_a)

EIT060 - Computer Security 13 EIT060 - Computer Security 14

 ss-property considers maximum level of subject – fS(s)  Result: It would be possible for information to flow
 *-property considers current level of subject fC(s) from file_e to file_c
 David has append access to file_c, but he would also be
granted read access to file_e file_e (private, {A,B})
read

fS : Functions f = (fS, fC, fO) fS(s)=(private, {A,B})

Alice: (private, {A}), Bob: (public, {A,B}), Charlie: (public, {B}), David: (private, {A,B}), Erika: (public, {A}) Possible information
fC : fC(s)=(public, {A,B}) flow
Alice: (private, {A}), Bob: (public, {A,B}), Charlie: (public, {B}), David: (public, {A,B}), Erika: (public, {A})
fO :
file_a: (private, {A}), file_b: (private, {∅}), file_c: (public, {A,B}), file_d: (public, {A}), file_e: (private, {A,B})
David

append
file_c (public, {A,B})

→ We need another restriction in the *-property

EIT060 - Computer Security 15 EIT060 - Computer Security 16

4
 2013-02-15

State (b,M,f) satisfies the *-property if for each element  Subject may pass an access permission on to other
(s,o,a) ∈ b where the access operation a is append or write, users.
the current security level of s is dominated by the security
level of o, i.e., fC(s) ≤ fO(o)  Discretionary access control

Furthermore, if there exists an element (s,o,a) ∈ b where

the access operation a is append or write, then we must State (b,M,f) satisfies the ds-property if for each
have fO(o’) ≤ fO(o) for all objects o’ with (s,o’,a’) ∈ b and element (s,o,a) ∈ b we have a ∈ MSO
a’ is read or write

 Access rights given in access control matrix must also

 In other words: If a subject has access to several objects at be followed
the same time, all objects with observe access must have lower
(or equal) security level than all objects with alter access
 Still does not apply to trusted subjects
EIT060 - Computer Security 17 EIT060 - Computer Security 18

Access Control Matrix M

Current access set b file_a file_b file_c file_d file_e  Current state is secure if and only if each (si,oi,ai) ∈ b
Alice r,w,a e a
(Alice, file_b, r)
Bob a r,e
satisfies the three properties
(David, file_c, w)
(Erika, file_a, a)
Charlie r r a ◦ ss-property, *-property and ds-property
David r,w,a r,w,a
Erika a e  State of the system changes if any component in (b,M,f)
changes
Functions f = (fS, fC, fO)
fS :  As long as any state change does not violate any of the
Alice: (private, {A}), Bob: (public, {A,B}), Charlie: (public, {B}), David: (private, {A,B}), Erika: (public, {A})
fC : three properties, the system remains secure
Alice: (private, {A}), Bob: (public, {A,B}), Charlie: (public, {B}), David: (public, {A,B}), Erika: (public, {A})
fO :
file_a: (private, {A}), file_b: (private, {∅}), file_c: (public, {A,B}), file_d: (public, {A}), file_e: (private, {A,B})
If all state transitions are secure and if the
initial state is secure then every subsequent
state will be secure
 All accesses given in b are allowed in the access control matrix M

EIT060 - Computer Security 19 EIT060 - Computer Security 20

5
 2013-02-15

 Get access – add triple (subject, object, access McLean criticism:


operation) to current access set b
Release access – remove triple from b
} Change b in state Make a state transition that
downgrade all subjects and objects to lowest security level
 Change object level – change value of fO(o) for


object o
Change current level – change value of fC(s) for
} Change f in state
enter all access rights in all entries of M
→ Everyone can do everything – not secure

subject s
 Give access permission – add an access operation Bell standpoint:

to M
Rescind access permission – remove an access
operation from M
} Change M in state 

If such a transition is required, it should be ok.
Otherwise, it should not be implemented.


Create object – add an object to system
Remove object – remove an object from system } Not supported by
”our” state
Tranquility: security levels and access rights never change.

EIT060 - Computer Security 21 EIT060 - Computer Security 22

 Only focus on confidentiality, not integrity  Focuses on integrity, i.e., unauthorized modification
 Not addressing management of access control of data
 Proposed in 1977
 Contains covert channels – information flow not controlled by
 Similar to Bell-LaPadula in several ways
the security mechanisms.
Example:
◦ Based on multilevel security with a partial ordering
◦ Low level subject creates file.txt at low level ◦ Based on subjects and objects
◦ High level subject upgrades file.txt to higher level, or leaves it alone  Subjects and objects mapped to integrity levels
◦ Low level subject tries to read file.txt
forming a lattice
Example 2:
◦ fS : S → L subject integrity level
◦ If low-level subjects can read filenames at high levels the filename can
also be used to send information from high-level subjects ◦ fO : O → L object integrity level

EIT060 - Computer Security 23 EIT060 - Computer Security 24

6
 2013-02-15

 Information flows downward  Simple integrity property

 High integrity subjects and objects are called clean, low
integrity subjects and objects are called dirty
◦ Clean objects are more accurate or reliable than dirty
◦ We have more confidence in clean subjects to execute as expected or to
validate input
 Clean objects cannot be contaminated by information from
low-integrity processes (subjects)
 Clean subjects should not read dirty objects
 Operations of interest: Modify, Read, Invoke
◦ Corresponds to ss-property in Bell-LaPadula
◦ If subject s can modify object o, then fO(o) ≤ fS(s) .
◦ no write-up
 Integrity *-property
◦ Corresponds to *-property in Bell-LaPadula
◦ A subject s can read an object o only if fS(s) ≤ fO(o)
◦ No read down

EIT060 - Computer Security 25 EIT060 - Computer Security 26

 Integrity levels are automatically adjusted  Subject low watermark policy

private, {A,B}
 Subject low watermark property
Subject s can read an object o at any integrity level. Alice (private, {A}) private, {A}
The new integrity level of the subject is the greatest time t: read private, {B}
lower bound of fS(s) and fO(o). file_a (private, {B})

private, {∅}
 Object low watermark property
public, {A,B}
Subject s can modify an object o at any integrity Alice (private, {∅})
level. The new integrity level of the object is the time t+1: read
public, {A}
greatest lower bound of fS(s) and fO(o). file_a (private, {B})
public, {B}

public, {∅}
EIT060 - Computer Security 27 EIT060 - Computer Security 28

7
 2013-02-15

 Object low watermark policy  A subject may invoke another subject to access an object
private, {A,B}
 Invoke property

Alice (public, {A}) private, {A} Subject s1 can invoke subject s2 only if fS(s2) ≤ fS(s1)
time t: modify private, {B}
file_a (private, {B})  Only invoke subjects (e.g., software tools) at lower levels
◦ Otherwise dirty subjects could use clean tools to alter clean objects
private, {∅}
◦ But maybe this is what we want? Controlled invocation!
public, {A,B}  Ring property
Alice (public, {A})
time t+1: modify
public, {A}
file_a (public, {∅}) A subject s1 can read all objects. It can only
public, {B}
modify objects with fO(o) ≤ fS(s1) and it can
invoke subject s2 only if fS(s1) ≤ fS(s2)
public, {∅}
EIT060 - Computer Security 29 EIT060 - Computer Security 30

 Developed in 1987  Consistency – data is consistent if it satisfies some

 Security (integrity) in commercial systems
◦ Bank system will be used as example
 Differences between military and commercial
applications (according to Clark and Wilson):
Military: Data item associated
with a particular level.
Commercial: Data item
associated by a set of programs
permitted to manipulate it.
given properties
◦ Balance day i = balance day i–1 + deposits – withdrawals
 Two important concepts
◦ Well formed transactions – users can only change system
through programs
◦ Separation of duties – User can only use a certain set of
Military: Users constrained by
programs
what they can read or write.  If you can create a well-formed transaction you may not be
allowed to run it
Commercial: Users constrained
by which programs they are  Users have to collaborate to manipulate data
allowed to execute.

EIT060 - Computer Security 31 EIT060 - Computer Security 32

8
 2013-02-15

 Two kinds of data items
◦ Constrained data items (CDI) – data items subject to integrity control.
E.g., account balances.
◦ Unconstrained data items (UDI) – data items not subject to integrity
control. E.g., unimportant text files
 Integrity verification procedures (IVP) – check the integrity of
CDIs. E.g., check that account balance is what it should be
 Transformation procedures (TP) – changes the state of the
system, i.e., manipulates CDIs. E.g., deposit money, withdraw
money, transfer money
 Certification rules – How should the system behave
 Enforcement rules – How do we make the system behave the
way we want
 Certification rule 1: IVPs must ensure that all CDIs are in a valid state
 Certification rule 2: A TP has an associated set of CDIs. TP must
transform these CDIs from valid states to valid states.
CR2 implies that nonassociated CDIs can be corrupted by a TP.
 Enforcement rule 1: System must maintain list of CDIs associated to
each TP. Only these CDIs can be manipulated by this TP.
Not everyone should be able to run any TP
 Enforcement rule 2: System must associate a list of TPs with each user.
A TP can not be run by a user not associated with that TP.
Now we have a set of triples (user, TP, {CDI set}). These must be certified.
 Certification rule 3: All triples must meet the separation of duties
requirements

EIT060 - Computer Security 33 EIT060 - Computer Security 34

Only certain users are allowed to run a certain TP. How do we know the
user is who he claims to be?
 Enforcement rule 3: The system must authenticate each user trying
to execute a TP.

Each operation must be logged

 Certification rule 4: All TPs must log information about all
operations

An UDI entering the system may not be trusted

 Certification rule 5: A TP taking a UDI as input must either
transform it to a valid CDI or reject it

No person should be able to both create and run a TP

 Enforcement rule 4: Only certifier of TP may change the list of
entities associated with that TP. No certifier may ever execute the
TP. (separation of duties)
EIT060 - Computer Security 35 EIT060 - Computer Security 36

9
 2013-02-15

 Proposed by Brewer and Nash, 1989  Company denoted c ∈ C

 Subjects s ∈ S are the analysts having access to company information
 Aimed at consultancy business  Objects o ∈ O are items of information, each belonging to a company
 Based on avoiding conflicts of interest  Company dataset are all objects concerning a company
 Motivation: ◦ Function y : O → C maps object to its company dataset
 Conflict of interest class indicates which companies are in competition
◦ A business consultant should not give advice to Volvo if he has
◦ Function x : O → P (C) maps object to its conflict of interest class, an element in
insider knowledge about Scania. the powerset of C
◦ A business consultant can give advice to both Volvo and H&M  Security label is a pair (x(o), y(o))
since they are not competitors.  Sanitized information is object with no sensitive information
◦ Label is (∅,y(o))
 Matrix NS,O records history of subjects actions (true or false)

EIT060 - Computer Security 37 EIT060 - Computer Security 38

 Access granted only if object belongs to

◦ A data set already accessed by the subject or
◦ A different interest of conflict class than previous objects Company read write
A Analyst A
 ss-property
A subject s is permitted to access an object o only if for all objects Bank
o’ with Nso’ = true, y(o)=y(o’) or y(o) ∉ x(o’) Company write read
B Analyst B

CI class CI class
Bank Bank
A B An analyst with access to grey
shaded areas, will have access
to other objects in Bank A data  Analyst A updates bank information about company A
set, but not Bank B dataset
 Analyst B can read this bank information and write to an
object in company B
EIT060 - Computer Security 39 EIT060 - Computer Security 40

10
 2013-02-15

 *-property regulates write access

A subject s can write to an object o, only

if s has no read access to an object o’ with
y(o) ≠ y(o’) and x(o’) ≠ ∅

Other data set Unsanitized data

 Very restrictive: If you can read sensitive information

in one company, you can not write to objects in any
other company – ever

EIT060 - Computer Security 41

11