Scribd
Upload
26 views26 pages

13 526 Topic17

The document discusses the Bell-LaPadula (BLP) model, which is a mandatory access control security model for systems with multi-level security. The BLP model defines subjects and objects with security levels and prevents information from flowing between different levels using the simple security property and star property. However, the BLP model does not prevent covert channels and information flow across system states.

Uploaded by

Nahla Solayman
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
26 views26 pages

13 526 Topic17

The document discusses the Bell-LaPadula (BLP) model, which is a mandatory access control security model for systems with multi-level security. The BLP model defines subjects and objects with security levels and prevents information from flowing between different levels using the simple security property and star property. However, the BLP model does not prevent covert channels and information flow across system states.

Uploaded by

Nahla Solayman
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 26

Information Security

CS 526
Topic 17

The Bell LaPadula Model

CS526 Topic 17: BLP 1


Readings for This Lecture

• Wikipedia
• Bell-LaPadula model

• David E. Bell: Looking Back at the


Bell-La Padula Model

CS526 Topic 17: BLP 2


Access Control at Different
Abstractions
• Using principals
– Determines which principals (user accounts) can
access what documents

• Using subjects
– Determines which subjects (processes) can access
what resources
– This is where BLP focuses on

CS526 Topic 17: BLP 3


Multi-Level Security (MLS)
• There are security classifications or security levels
– Users/principals/subjects have security clearances
– Objects have security classifications
• Example of security levels
– Top Secret
– Secret
– Confidential
– Unclassified
• In this case Top Secret > Secret > Confidential >
Unclassified
• Security goal (confidentiality): ensures that information do
not flow to those not cleared for that level

CS526 Topic 17: BLP 4


Multi-level Security (MLS)
• The capability of a computer system to carry
information with different sensitivities (i.e. classified
information at different security levels), permit
simultaneous access by users with different security
clearances and needs-to-know, and prevent users from
obtaining access to information for which they lack
authorization.
– Discretionary access control fails to achieve MLS
• Typically use Mandatory Access Control
• Primary Security Goal: Confidentiality

CS526 Topic 17: BLP 5


Mandatory Access Control

• Mandatory access controls (MAC) restrict


the access of subjects to objects based on
a system-wide policy
– denying users full control over the access to
resources that they create. The system
security policy (as set by the administrator)
entirely determines the access rights granted

CS526 Topic 17: BLP 6


Bell-LaPadula Model: A MAC Model
for Achieving Multi-level Security
• Introduce in 1973

• Air Force was concerned with security in time-


sharing systems
– Many OS bugs
– Accidental misuse

• Main Objective:
– Enable one to formally show that a computer system
can securely process classified information

CS526 Topic 17: BLP 7


What is a Security Model?
• A model describes the system
– e.g., a high level specification or an abstract machine
description of what the system does
• A security policy
– defines the security requirements for a given system
• Verification techniques that can be used to show
that a policy is satisfied by a system
• System Model + Security Policy = Security Model

CS526 Topic 17: BLP 8


Approach of BLP
• Use state-transition systems to describe
computer systems

• Define a system as secure iff. every reachable


state satisfies 3 properties
– simple-security property, *-property, discretionary-
security property

• Prove a Basic Security Theorem (BST)


– so that give the description of a system, one can prove
that the system is secure

CS526 Topic 17: BLP 9


The BLP Security Model

• A computer system is modeled as a state-transition


system
– There is a set of subjects; some are designated as
trusted.
– Each state has objects, an access matrix, and the
current access information.
– There are state transition rules describing how a system
can go from one state to another
– Each subject s has a maximal sec level L m(s), and a
current sec level Lc(s)
– Each object has a classification level

CS526 Topic 17: BLP 10


Elements of the BLP Model
Security levels, e.g.: {TS, S, C, U}
Lm: Max Lc: Current L: Class.
Sec. Level Sec. Level Level

Subjects Objects
Current
Accesses
Trusted
Subjects

Access Matrix
CS526 Topic 17: BLP 11
The BLP Security Policy

• A state is secure if it satisfies


– Simple Security Condition (no read up):
• S can read O iff Lm(S) ≥ L(O)
– The Star Property (no write down): for any S that is not
trusted
• S can read O iff Lc(S) ≥ L(O) (no read up)
• S can write O iff Lc(S) ≤ L(O) (no write down)
– Discretionary-security property
• every access is allowed by the access matrix
• A system is secure if and only if every reachable
state is secure.
CS526 Topic 17: BLP 12
Implication of the BLP Policy

Objects
Highest

Can Write
Subject Max Level

Current
Can Read & Write
Level

Can Read
Lowest

CS526 Topic 17: BLP 13


STAR-PROPERTY

• Applies to subjects (principals) not to users


• Users are trusted (must be trusted) not to
disclose secret information outside of the
computer system
• Subjects are not trusted because they may
have Trojan Horses embedded in the code they
execute
• Star-property prevents overt leakage of
information and does not address the covert
channel problem

CS526 Topic 17: BLP 14


Is BLP Notion of Security Good?

• The objective of BLP security is to ensure


– a subject cleared at a low level should never read
information classified high

• The ss-property and the *-property are sufficient


to stop such information flow at any given state.

• What about information flow across states?

CS526 Topic 17: BLP 15


BLP Security Is Not Sufficient!
• Consider a system with s1,s2,o1,o2
– fS(s1)=fC(s1)=fO(o1)=high
– fS(s2)=fC(s2)=fO(o2) =low
• And the following execution
– s1 gets access to o1, read something, release access, then
change current level to low, get write access to o2, write to o2
• Every state is secure, yet illegal information exists
• Solution: tranquility principle: subject cannot change
current levels, or cannot drop to below the highest
level read so far

CS526 Topic 17: BLP 16


Main Contributions of BLP
• The overall methodology to show that a system
is secure
– adopted in many later works
• The state-transition model
– which includes an access matrix, subject security
levels, object levels, etc.
• The introduction of *-property
– ss-property is not enough to stop illegal information
flow

CS526 Topic 17: BLP 21


Other Limitations with BLP
• Deal only with confidentiality, does not deal with
integrity at all
– Confidentiality is often not as important as integrity in
most situations
– Addressed by integrity models (such as Biba, Clark-
Wilson, which we will cover later)

• Does not deal with information flow through


covert channels

CS526 Topic 17: BLP 22


Overt (Explicit) Channels vs. Covert
Channels
• Security objective of MLS in general, BLP in
particular
– high-classified information cannot flow to low-cleared
users
• Overt channels of information flow
– read/write an object
• Covert channels of information flow
– communication channel based on the use of system
resources not normally intended for communication
between the subjects (processes) in the system

CS526 Topic 17: BLP 23


Examples of Covert Channels
• Using file lock as a shared boolean variable
• By varying its ratio of computing to input/output or its
paging rate, the service can transmit information to a
concurrently running process
• Timing of packets being sent

• Covert channels are often noisy


• However, information theory and coding theory can
be used to encode and decode information through
noisy channels

CS526 Topic 17: BLP 24


More on Covert Channels
• Covert channels cannot be blocked by *-property
• It is generally very difficult, if not impossible, to
block all covert channels
• One can try to limit the bandwidth of covert
channels
• Military requires cryptographic components be
implemented in hardware
– to avoid trojan horse leaking keys through covert
channels

CS526 Topic 17: BLP 25


More on MLS: Security Levels
• Used as attributes of both subjects & objects
– clearance & classification
• Typical military security levels:
– top secret  secret  confidential  unclassified
• Typical commercial security levels
– restricted  proprietary  sensitive  public

CS526 Topic 17: BLP 26


Security Categories
• Also known as compartments
• Typical military security categories
– army, navy, air force
– nato, nasa, noforn
• Typical commercial security categories
– Sales, R&D, HR
– Dept A, Dept B, Dept C

CS526 Topic 17: BLP 27


Security Labels
• Labels = Levels  P (Categories)
• Define an ordering relationship among Labels
– (e1, C1)  (e2, C2) iff. e1 e2 and C1  C2
• This ordering relation is a partial order
– reflexive, transitive, anti-symmetric
– e.g., 
• All security labels form a lattice

CS526 Topic 17: BLP 28


An Example Security Lattice
• levels={top secret, secret}
• categories={army,navy}
Top Secret, {army, navy}

Top Secret, Top Secret, Secret, {army,


{army} {navy} navy}

Top Secret, {} Secret, {army} Secret, {navy}

Secret, {}

CS526 Topic 17: BLP 29


Coming Attractions …
• Non-interference and non-
deducability

CS526 Topic 17: BLP 31

You might also like