Upload
ashishsingh2016
View
216
Download
0
Embed Size (px)
Citation preview
7/30/2019 Bell_LaPadula_model (1).pdf
1/4
[Bell LaPadula model] April14,2012
Page1of4
Bell LaPadula model:
- The Bell-LaPadula Model (BLM), also called the multi-level model, was proposed byBell and LaPadula for enforcing access control in government and military applications.
- In such applications, subjects and objects are often partitioned into different securitylevels. A subject can only access objects at certain levels determined by his security level.
- For instance, the following are two typical access specifications: Unclassified personnelcannot read data at confidential levels and Top-Secret data cannot be written into the
files at unclassified levels.
- The Bell-LaPadula model supports mandatory access control in terms of objects (tables,view, rows, columns, etc.), subjects (users, programs, etc.) security classes and clearances
by determining the access rights from the security levels associated with subjects and
objects.
- It also supports discretionary access control by checking access rights from an accessmatrix. More formally, each object is associated with a security level.
- Each database object is assigned a security class, and each subject is assigned clearancefor a security class. We denote the class of an object or subject A as class(A).
- The security class in a system are organized according to a partial order, with a mostsecure class and a least secure class.
- Each subject is also associated with a maximum and current security level, which can bechanged dynamically. The set of classification levels is ordered by a $ < $ relationship.
- For simplicity, we assume that there are four classes: top secret (TS), secret (S),confidential (C) and unclassified (U) where U < C < S < TS.
- This means that class C is more secure than class U, class S is more secure than class C,and class TS is the most secured class.
- The Bell-LaPadula model imposes two restrictions on all reads and writes of databaseobjects:
Simple Security Property: Subject S is allowed to read object Q only if class(S)> class (C). For example, a user with TS clearance can read a table with C
clearance, but a user with C clearance is not allowed to read a table with TS
classification.
*-Property: Subject S is allowed to write object Q only if class(S) < class(C). Forexample, a user with S clearance can write only objects with S or TS
classification.
- The set of access rights given to a subject are the following: Read-Only: The subject can only read the object. Append: The subject can only write to the object but it cannot read. Execute: The subject can execute the object but can neither read nor write. Read-Write: The subject has both read and write permissions to the object.
7/30/2019 Bell_LaPadula_model (1).pdf
2/4
[Bell LaPadula model] April14,2012
Page2of4
Control Attribute:
- This is an attribute given to the subject that creates an object.- Due to this, the creator of an object can pass any of the above four access rights of that
object to any subject. However, it cannot pass the control attribute itself.
- The creator of an object is also known as the controller of that object.
Restrictions imposed by the Bell-LaPadula Model:
- The following restrictions are imposed by the model: Reading down:
- A subject has only read access to objects whose security level is below the subject'scurrent clearance level.
- This prevents a subject from getting access to information available in security levelshigher than its current clearance level.
Writing up:- A subject has appended access to objects whose security level is higher than its currentclearance level.
- This prevents a subject from passing information to levels lower than its current level.
- The Bell-LaPadula model supplements the access matrix with the above restrictions toprovide access control and information flow.
- For instance, if a subject has read access to an object in the access matrix, it may still notbe able to exercise this right if the object is at a security level higher than its clearance
level.
7/30/2019 Bell_LaPadula_model (1).pdf
3/4
- Ba
- T
ell and LaP
nd defined a
he followin
Getexecu
Relea Give
a subj
Resciobjec
Crea Delet Chan
initial
adula mode
set of state
operations
ccess: Use
te etc.).
se access:
access: Con
ect.
nd access:
) from a su
e object: A
object: Al
ge security
assigned va
[
led the beha
transitions t
guarantee a
d by a sub
sed by a su
troller of an
Controller
ject.
llows a subj
lows a subj
level: Allo
lue).
ell LaPad
vior of a pr
hat would n
secure syst
ject to initi
bject to giv
object can
f an object
ect to activa
ct to deacti
s a subjec
la model]
otection sys
ot violate th
em:
ate access
up an initi
ive a partic
can revoke
te an inacti
ate an acti
to change
April14,20
tem as a fin
e security o
to an obje
ted access.
ular access
a designat
e object.
e object.
its clearanc
12
Page
ite state ma
the system
t (read, ap
(to that obje
d access (t
level (bel
3of4
chine
.
pend,
ct) to
that
w an
7/30/2019 Bell_LaPadula_model (1).pdf
4/4
[Bell LaPadula model] April14,2012
Page4of4
- However certain conditions have to be satisfied before the above operations can beperformed.
- For instance, a subject can exercise give and rescind rights to an object only if it hascontrol attributes to that object.
- Bell-LaPadula is a simple linear model that exercises access and information flow controlthrough the above restrictive properties and operations.
- However, it has a disadvantage of security levels of objects being static.- The properties of this model might become too restrictive in cases when certain
operations are outside the context of protection system.