April 21: Bell-LaPadula Model Bell-LaPadula confidentiality model - PowerPoint PPT Presentation

April 21: Bell-LaPadula Model • Bell-LaPadula confidentiality model • Tranquility • Declassification • McLean’s criticism and System Z April 21, 2017 ECS 235B Spring Quarter 2017 Slide #1

Rule • ρ : R × V → D × V • Takes a state and a request, returns a decision and a (possibly new) state • Rule ρ ssc-preserving if for all ( r , v ) ∈ R × V and v satisfying ssc rel f , ρ ( r , v ) = ( d , v ʹ ) means that v ʹ satisfies ssc rel f ʹ . – Similar definitions for *-property, ds-property – If rule meets all 3 conditions, it is security-preserving April 21, 2017 ECS 235B Spring Quarter 2017 Slide #2

Unambiguous Rule Selection • Problem: multiple rules may apply to a request in a state – if two rules act on a read request in state v … • Solution: define relation W ( ω ) for a set of rules ω = { ρ 1 , …, ρ m } such that a state ( r , d , v , v ʹ ) ∈ W ( ω ) iff either – d = i; or – for exactly one integer j , ρ j ( r , v ) = ( d , v ʹ ) • Either request is illegal, or only one rule applies April 21, 2017 ECS 235B Spring Quarter 2017 Slide #3

Rules Preserving SSC • Let ω be set of ssc -preserving rules. Let state z 0 satisfy simple security condition. Then Σ ( R , D , W ( ω ), z 0 ) satisfies simple security condition – Proof: by contradiction. • Choose ( x , y , z ) ∈ Σ ( R , D , W ( ω ), z 0 ) as state not satisfying simple security condition; then choose t ∈ N such that ( x t , y t , z t ) is first appearance not meeting simple security condition • As ( x t , y t , z t , z t –1 ) ∈ W ( ω ), there is unique rule ρ ∈ ω such that ρ ( x t , z t –1 ) = ( y t , z t ) and y t ≠ i. • As ρ ssc-preserving, and z t –1 satisfies simple security condition, then z t meets simple security condition, contradiction. April 21, 2017 ECS 235B Spring Quarter 2017 Slide #4

Adding States Preserving SSC • Let v = ( b , m , f , h ) satisfy simple security condition. Let ( s , o , p ) ∉ b , b ʹ = b ∪ { ( s , o , p ) }, and v ʹ = ( b ʹ , m , f , h ). Then v ʹ satisfies simple security condition iff: 1. Either p = e or p = a; or 2. Either p = r or p = w, and f c ( s ) dom f o ( o ) – Proof 1. Immediate from definition of simple security condition and v ʹ satisfying ssc rel f 2. v ʹ satisfies simple security condition means f s ( s ) dom f o ( o ), and for converse, ( s , o , p ) ∈ b ʹ satisfies ssc rel f , so v ʹ satisfies simple security condition April 21, 2017 ECS 235B Spring Quarter 2017 Slide #5

Rules, States Preserving *- Property • Let ω be set of *-property-preserving rules, state z 0 satisfies *-property. Then Σ ( R , D , W ( ω ), z 0 ) satisfies *-property April 21, 2017 ECS 235B Spring Quarter 2017 Slide #6

Rules, States Preserving ds- Property • Let ω be set of ds-property-preserving rules, state z 0 satisfies ds-property. Then Σ ( R , D , W ( ω ), z 0 ) satisfies ds-property April 21, 2017 ECS 235B Spring Quarter 2017 Slide #7

Combining Let ρ be a rule and ρ ( r , v ) = ( d , v ʹ ), where v = ( b , m , f , h ) • and v ʹ = ( b ʹ , m ʹ , f ʹ , h ʹ ). Then: If b ʹ ⊆ b , f ʹ = f , and v satisfies the simple security condition, 1. then v ʹ satisfies the simple security condition If b ʹ ⊆ b , f ʹ = f , and v satisfies the *-property, then v ʹ satisfies 2. the *-property If b ʹ ⊆ b , m [ s , o ] ⊆ m ʹ [ s , o ] for all s ∈ S and o ∈ O , and v 3. satisfies the ds-property, then v ʹ satisfies the ds-property April 21, 2017 ECS 235B Spring Quarter 2017 Slide #8

Proof 1. Suppose v satisfies simple security property. b ´ ⊆ b and ( s , o , r) ∈ b ʹ implies ( s , o , r) ∈ b a) b) b ´ ⊆ b and ( s , o , w) ∈ b ʹ implies ( s , o , w) ∈ b c) So f c ( s ) dom f o ( o ) d) But f ʹ = f Hence f ʹ c ( s ) dom f ʹ o ( o ) e) So v ʹ satisfies simple security condition f) 2, 3 proved similarly April 21, 2017 ECS 235B Spring Quarter 2017 Slide #9

Example Instantiation: Multics • 11 rules affect rights: – set to request, release access – set to give, remove access to different subject – set to create, reclassify objects – set to remove objects – set to change subject security level • Set of “trusted” subjects S T ⊆ S – *-property not enforced; subjects trusted not to violate • Δ ( ρ ) domain – determines if components of request are valid April 21, 2017 ECS 235B Spring Quarter 2017 Slide #10

get-read Rule • Request r = ( get , s , o , r) – s gets (requests) the right to read o • Rule is ρ 1 ( r , v ): if ( r ≠ Δ ( ρ 1 )) then ρ 1 ( r , v ) = (i, v ); else if ( f s ( s ) dom f o ( o ) and [ s ∈ S T or f c ( s ) dom f o ( o )] and r ∈ m [ s , o ]) then ρ 1 ( r , v ) = ( y , ( b ∪ { ( s , o , r) }, m , f , h )); else ρ 1 ( r , v ) = (n, v ); April 21, 2017 ECS 235B Spring Quarter 2017 Slide #11

Security of Rule • The get-read rule preserves the simple security condition, the *-property, and the ds-property – Proof • Let v satisfy all conditions. Let ρ 1 ( r , v ) = ( d , v ʹ ). If v ʹ = v , result is trivial. So let v ʹ = ( b ∪ { ( s 2 , o , r) }, m , f , h ). April 21, 2017 ECS 235B Spring Quarter 2017 Slide #12

Proof • Consider the simple security condition. – From the choice of v ʹ , either b ʹ – b = ∅ or { ( s 2 , o , r) } – If b ʹ – b = ∅ , then { ( s 2 , o , r) } ∈ b , so v = v ʹ , proving that v ʹ satisfies the simple security condition. – If b ʹ – b = { ( s 2 , o , r) }, because the get-read rule requires that f s ( s ) dom f o ( o ), an earlier result says that v ´ satisfies the simple security condition. April 21, 2017 ECS 235B Spring Quarter 2017 Slide #13

Proof • Consider the *-property. – Either s 2 ∈ S T or f c ( s ) dom f o ( o ) from the definition of get-read – If s 2 ∈ S T , then s 2 is trusted, so *-property holds by definition of trusted and S T . – If f c ( s ) dom f o ( o ), an earlier result says that v ʹ satisfies the simple security condition. April 21, 2017 ECS 235B Spring Quarter 2017 Slide #14

Proof • Consider the discretionary security property. – Conditions in the get-read rule require r ∈ m [ s , o ] and either b ʹ – b = ∅ or { ( s 2 , o , r) } – If b ʹ – b = ∅ , then { ( s 2 , o , r) } ∈ b , so v = v ʹ , proving that v ´ satisfies the simple security condition. – If b ʹ – b = { ( s 2 , o , r) }, then { ( s 2 , o , r) } ∉ b , an earlier result says that v ʹ satisfies the ds-property. April 21, 2017 ECS 235B Spring Quarter 2017 Slide #15

Rules, States, and Conditions Let ρ be a rule and ρ ( r , v ) = ( d , v ʹ ), where v = ( b , m , f , h ) and v ʹ = ( b ʹ , m ʹ , f ʹ , h ʹ ). Then: 1. If b ⊆ b ʹ , f = f ʹ , and v satisfies the simple security condition, then v ʹ satisfies the simple security condition If b ⊆ b ʹ , f = f ʹ , and v satisfies the *-property, then v ʹ 2. satisfies the *-property If b ⊆ b ʹ , m [ s , o ] ⊆ m ʹ [ s , o ] for all s ∈ S and o ∈ O , 3. and v satisfies the ds-property, then v ʹ satisfies the ds- property April 21, 2017 ECS 235B Spring Quarter 2017 Slide #16

Example Instantiation: Multics • 11 rules affect rights: – set to request, release access – set to give, remove access to different subject – set to create, reclassify objects – set to remove objects – set to change subject security level • Set of “trusted” subjects S T ⊆ S – *-property not enforced; subjects trusted not to violate • Δ ( ρ ) domain – determines if components of request are valid April 21, 2017 ECS 235B Spring Quarter 2017 Slide #17

get-read Rule • Request r = ( get , s , o , r) – s gets (requests) the right to read o • Rule is ρ 1 ( r , v ): if ( r ≠ Δ ( ρ 1 )) then ρ 1 ( r , v ) = (i, v ); else if ( f s ( s ) dom f o ( o ) and [ s ∈ S T or f c ( s ) dom f o ( o )] and r ∈ m [ s , o ]) then ρ 1 ( r , v ) = ( y , ( b ∪ { ( s , o , r) }, m , f , h )); else ρ 1 ( r , v ) = (n, v ); April 21, 2017 ECS 235B Spring Quarter 2017 Slide #18

Security of Rule • The get-read rule preserves the simple security condition, the *-property, and the ds-property – Proof • Let v satisfy all conditions. Let ρ 1 ( r , v ) = ( d , v ʹ ). If v ʹ = v , result is trivial. So let v ʹ = ( b ∪ { ( s 2 , o , r) }, m , f , h ). April 21, 2017 ECS 235B Spring Quarter 2017 Slide #19

Proof • Consider the simple security condition. – From the choice of v ʹ , either b ʹ – b = ∅ or { ( s 2 , o , r) } – If b ʹ – b = ∅ , then { ( s 2 , o , r) } ∈ b , so v = v ʹ , proving that v ʹ satisfies the simple security condition. – If b ʹ – b = { ( s 2 , o , r) }, because the get-read rule requires that f c ( s ) dom f o ( o ), an earlier result says that v ´ satisfies the simple security condition. April 21, 2017 ECS 235B Spring Quarter 2017 Slide #20

Proof • Consider the *-property. – Either s 2 ∈ S T or f c ( s ) dom f o ( o ) from the definition of get-read – If s 2 ∈ S T , then s 2 is trusted, so *-property holds by definition of trusted and S T . – If f c ( s ) dom f o ( o ), an earlier result says that v ʹ satisfies the simple security condition. April 21, 2017 ECS 235B Spring Quarter 2017 Slide #21