the bell lapadula model
play

The Bell-LaPadula Model CSM27 Computer Security Dr Hans Georg - PowerPoint PPT Presentation

The Bell-LaPadula Model CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2008 Week 6 Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 Week 6 1 / 32 The session Outline The session 1 Finite


  1. The Bell-LaPadula Model CSM27 Computer Security Dr Hans Georg Schaathun University of Surrey Autumn 2008 – Week 6 Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 1 / 32

  2. The session Outline The session 1 Finite Automata 2 Bell-LaPadula 3 Security Properties 4 Limitations 5 Multics 6 Conclusion 7 Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 2 / 32

  3. The session Session objectives Be able to use the principle of finite automata to describe security models. Understand the confidentiality policy of Bell-LaPadula Understand the limitations of Bell-LaPadula Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 3 / 32

  4. Finite Automata Outline The session 1 Finite Automata 2 Bell-LaPadula 3 Security Properties 4 Limitations 5 Multics 6 Conclusion 7 Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 4 / 32

  5. Finite Automata A finite automata state-machine ≈ automata 1 0 1 A set of states , Q An input alphabet Σ 0 1 1 0 labels for the state transitions 2 3 0 inital state q 0 ∈ Q 0 accepting states A ⊂ Q 0 1 1 transition function δ : Q × Σ → Q 5 4 1 0 equivalent to the edges (arrows) Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 5 / 32

  6. Finite Automata A finite automata 1 A state can be good or bad 0 1 secure or insecure 0 1 1 Transitions from good to bad 0 states are dangerous. 2 3 0 Two criteria 0 0 1 1 Start state be secure No transition from secure to 5 4 1 0 insecure Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 6 / 32

  7. Finite Automata A finite automata 1 A state can be good or bad 0 1 secure or insecure 0 1 1 Transitions from good to bad 0 states are dangerous. 2 3 0 Two criteria 0 0 1 1 Start state be secure No transition from secure to 5 4 1 0 insecure Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 6 / 32

  8. Finite Automata A finite automata 1 A state can be good or bad 0 1 secure or insecure 0 1 1 Transitions from good to bad 0 1 states are dangerous. 2 3 0 Two criteria 0 0 1 1 Start state be secure No transition from secure to 5 4 1 0 insecure Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 6 / 32

  9. Bell-LaPadula Outline The session 1 Finite Automata 2 Bell-LaPadula 3 Security Properties 4 Limitations 5 Multics 6 Conclusion 7 Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 7 / 32

  10. Bell-LaPadula The principle of an automata model Describe all secure states 1 Describe transitions from secure states 2 Prove that no transition leads from secure to insecure 3 If this is possible, the system is provably secure. Bell-LaPadula is one description of secure states. Similar principles apply to e.g. database development Database has to be maintained in a consistent state No operation (transition) allowed to bring the database to an inconsistent state Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 8 / 32

  11. Bell-LaPadula Elements of Access Control a set of subjects S a set of objects O set of access operations A = { execute , read , append , write } A set of security levels L , with a partial ordering ≤ Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 9 / 32

  12. Bell-LaPadula The State Set A state : ( b , M , f ) , includes Access operations currently in use b List of tuples ( s , o , a ) , s ∈ S , o ∈ O , a ∈ A . Access permission matrix M = ( M s , o ) s ∈ S , o ∈ O , where M s , o ⊂ A Clearance and classification f = ( f S , f C , f O ) f S : S → L maximal security level of a subject f C : S → L current security level of a subject ( f C ≤ f S ) f O : O → L classification of an object Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 10 / 32

  13. Security Properties Outline The session 1 Finite Automata 2 Bell-LaPadula 3 Security Properties 4 Limitations 5 Multics 6 Conclusion 7 Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 11 / 32

  14. Security Properties Simple Security Property (SS-property) A state ( b , M , f ) satisfies the SS-property if ∀ ( s , o , a ) ∈ b , such that a ∈ { read , write } f O ( o ) ≤ f S ( s ) I.e. a subject can only observe objects of lower classification Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 12 / 32

  15. Security Properties What about write access? What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications A subject has to be downgraded to send messages Because subjects are computer programs they can be made to forget their knowledge when downgraded Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 13 / 32

  16. Security Properties What about write access? What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications A subject has to be downgraded to send messages Because subjects are computer programs they can be made to forget their knowledge when downgraded Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 13 / 32

  17. Security Properties What about write access? What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications A subject has to be downgraded to send messages Because subjects are computer programs they can be made to forget their knowledge when downgraded Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 13 / 32

  18. Security Properties What about write access? What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications A subject has to be downgraded to send messages Because subjects are computer programs they can be made to forget their knowledge when downgraded Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 13 / 32

  19. Security Properties What about write access? What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications A subject has to be downgraded to send messages Because subjects are computer programs they can be made to forget their knowledge when downgraded Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 13 / 32

  20. Security Properties What about write access? What policy do we need for write access? Integrity: no write-up (to higher security levels) Confidentiality: no write-down (to lower security levels) Bell-LaPadula concerns confidentiality Subject must not transmit messages to subjects at lower levels Current security level allows communications A subject has to be downgraded to send messages Because subjects are computer programs they can be made to forget their knowledge when downgraded Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 13 / 32

  21. Security Properties *-property A state ( b , M , f ) satisfies the *-property if ∀ ( s , o , a ) ∈ b , such that a ∈ { append , write } f C ( s ) ≤ f O ( o ) and if ∃ ( s , o , a ) ∈ b where a ∈ { append , write } , then ∀ o ′ , a ′ ∈ { read , write } , such that ( s , o ′ , a ′ ) ∈ b f O ( o ′ ) ≤ f O ( o ) I.e. a subject can only alter objects of higher classification, and cannot read a high-level object while writing to a low-level object. Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 14 / 32

  22. Security Properties Discretionary Security Property Previous security properties provide Mandatory Access Control i.e. a centrally defined access policy The security levels are defined by a central policy Discreationary Access Control (DAC) decentralises the control The access control matrix M allows DAC in Bell-LaPadula A state ( b , M , f ) satisfies the DS-property if ∀ ( s , o , a ) ∈ b a ∈ M s , o . Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 15 / 32

  23. Security Properties Discretionary Security Property Previous security properties provide Mandatory Access Control i.e. a centrally defined access policy The security levels are defined by a central policy Discreationary Access Control (DAC) decentralises the control The access control matrix M allows DAC in Bell-LaPadula A state ( b , M , f ) satisfies the DS-property if ∀ ( s , o , a ) ∈ b a ∈ M s , o . Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2008 – Week 6 15 / 32

Recommend


More recommend