Cybersecurity

and Defense- in
Depth

Lecture 2
9 Oct 2024

: ‫ﺗﺟ ﻣ ﯾﻊ وإ ﻋد ا د‬
‫أ ﺣ ﻣ د ﺣ ﺳ ﯾن‬
Security Policy
What is security policy?
• A Security Policy constitutes a formal document that articulates,
in written form, the methodology by which an organization intends
to safeguard its tangible and information technology (IT) assets.
• Briefly: A document that states clearly the goal of the protection
mechanisms.
• Security policies are dynamic documents that undergo perpetual
revisions and modifications in response to evolving technologies,
emerging vulnerabilities, and shifting security imperatives.
• Security policy describes which principal may access which data.
An example:
• Security policy model a short document (page or less) stating
essential system's protection properties.

• Security target more details about protection mechanism

provided by a specific implementation. Testing and evaluation
of a product could be performed with reference to the security
target.

• Protection profile A security target but in an implementation-

independent way. It works across different vendors/products.
The Bell-LaPadula Security Policy Model
• BLP model Proposed by Bell and LaPadula in 1973.
• Motivated by US Air Force concerns over the security of time-
sharing mainframe systems.
• It was discovered that the Pentagon’s Worldwide Military
Command and Control System was vulnerable to Trojan Horse
attacks. Thus, its use restricted to people with 'Top Secret'
clearance.
BLP model
• Reference monitor
• OS component that mediates the access control decisions
• Small enough to facilitate analysis and verification.
• Completeness could be assured.
• Now known as Trusted Computing Base (TCB)
• Correct functioning of TCB means the security policy is enforced.
• Failure of TCB could cause a breach of the security policy.
Classifications and
Clearances

• The need for a

common protective
marking scheme for
labelling the
sensitivity of
documents.
• Classifications:
Unclassified,
Confidential, Secret,
and Top Secret.
Access Control Policy
• A document could only be read by an official if his clearance was
at least as high as the document' classification.
• Information may only flow upwards (i.e. from unclassified to top
secret)
Document Handling Rules:
• Confidential documents could be stored
in a locked filing cabinet in a government
office.
• Higher level documents may require
approved safes, guarded rooms, … etc.
• Journalists could be prosecuted for
leaking any classified document.
Wiretapping and multilevel security

• The old way: Adding a physical wire to an

exchange.
• The new way: Replacing target calls into a silent
conference calls with an extra participant.
• The extra participant (wiretapper) should remain
silent and pay for the conference call charges.
• `High` principal can see `Low` data, but a
`Low` principal can't tell whether `High` is
reading any data at all, let alone what data.
BLP properties
BLP enforces two properties:
• Simple security property: No process may read data at a higher
level a.k.a. `no read up` (NRU)
• Star property: No process may write data to a lower-level a.k.a.
`no write down` (NWD)
BLP Model
Assumptions:
• Codes are buggy
• Some codes are malicious
• Most staff are careless
• Some staff are dishonest
How BLP protects against malicious code?
• NWD was suggested to protect against malicious code attacks.
• An uncleared user could write a Trojan.
• Leave it until a cleared user might execute it.
• It then could copy itself into the `Secret` part of the system, read
the data, and try to signal it down somehow.
• If the Trojan could write down where its creator could read it, the
security policy would have been violated.
Implementation of Multilevel Security
Systems
• First approach: Reference Monitor
Implement a reference monitor as part of OS kernel that
supervises all system calls and checks access permissions to
decide whether the call can be serviced. (Hard to make it small
enough)
• Second approach: System replication
• Physical replications in the 1990s.
• Virtual machines since about 2005.
• Multiple systems (VMs) at different security levels on the same PC.
• Pump: constantly copies information from Low up to High, all running on
VMware on top of SELinux (Security-Enhanced Linux).