REASONING

Computer

ABOUT SECURITY MODELS

John McLean

Science and Systems BranchNaval Research LaboratoryWashington,

ABSTRACT

A method for evaluating security models isdeveloped and applied to the model of Bell andLaPadula. The method shows the inadequacy ofthe Bell and LaPadula model, in particular,andthe impossibilityof any adequate definitionof asecure system based solely on the notion of asecure state. The implications for thefruitfulnessof seeking a global definition of a

secure system and for the state of foundationalresearch in computer security, in general, isdiscussed.

And so of the virtues, however manyand different they may be, they haveall a common nature which makesthem virtues; and on this he whowould answer the question, ‘What isvirtue?’ would do well to have his eye

fixed.Plato,J4eno (B. Jowett trans.)72c6-dl

For if you look at them you will not seesomething that is common to all, butsimilarities,relationships, and wholeseriesof them at that...1can think of nobetter expression to characterize thesesimilaritiesthan “family resemblance”...

Wittgenstein [1, $66-7]

If a concept fundamental to a mightyscience gives rise to difficulties,then itis surely an imperative task to

investigate it more closely until thosedifficultiesare overcome ...

Frege [2,p. II]

1. IntroductionSecurity is an especially hard property to

prove rigorously about a program. It’s not

D.C. 20375

that proofs about security are intrinsically moredifficult than proofs about other properties,but rather that the concept security, itself, isharder to explicate. For this reason, there hasbeen a great deal of focus on rigorouslydefining the concept of security, or in the jargonof the trade, constructing formal securitymodels. Such explications are important, forwithout them, many would regard it asimpossible to establish in any meaningful waythat a program is secure.

The security model developed by Bell andLaPadula [3] is the most widely accepted basisfor verifying the security of systems [4]. It hasbeen argued [5] that one reason developersshould have confidence in the security providedby systems based on this model is a theorem,called the “Basic Security Theorem” (BST),proven about a formalization of the model byits authors [3, p. 90, corollary Al]. However,this confidence is misplaced since the BST canbe proven for systems that directly contradictthe notion of security embodied in the Bell-LaPadula model [6].

This paper presents a method for evaluatingsecurity models and applies the method to theBell-LaPadula model. The results cast doubt onthe Bell-LaPadula model and the fruitfulness ofseeking global definitions of security. Theexistence of differing interpretations of themodel cast doubt on the status of computersecurity’s foundations in general.

2. How to Lend Credence to a SecurityModel

Current security models are formulated interms of the concept of a secure state, i. e., adefinition that places restrictions on what astate can look like, a secure transform, i. e., adefinition that places restrictions on what a

U.S.GovernmentWork.Not protectedby 123U.S.copyright.

Bell-LaPadula model’s definition of securesystem, it fails to satisfy the conditions requiredby our definition of a secure action. The factthat a definition of a secure system formulatedin terms of our definition of a secure action issupposed to explicate the same concept as Belland LaPadula’s definition shows that either theformer is too narrow or the latter is too wide.

The fact that system Z gives all subjectsaccess to all objects shows that it is the Bell-LaPadula model that is inadequate. In fact, itshould be clear that any explication of securitybased solely on the notion of a secure statemust fail for a similar reason. At best such anexplication can serve as a definition a secureinitial state. The concept of a secure systemmust be explicated as one whose initial state issecure and whose system transform is secure.

5. The Bell and LaPadula ModelReconsidered

When presented with system Z, some haveresponded with an attitude of “Who cares?”,while others have argued that the Bell-LaPadulamodel’s explication of security consists ofsomething more than the the model’s definitionof secure system and that this something morerules out systems such as z.6 With respect tothe latter, the suggestion is that the modelimplicitly includes the tranquility principle,which prohibits changing the security level ofan (active) object, or that it includes theparticular Multics-based rules given in [3]. Thefirst suggestion can easily be dismissed sincethe tranquility principle is clearly not part ofthe model as given in [3]. Not only is it notmentioned, it is violated by rule 11 of theMultics-based interpretation of the model. Thisis understandable since any model that did notpermit violations of tranquility would be tooconfining to be practical.

6A11 responses to system Z considered in this

section are taken from Computer SecurityForum 5, 18 (July 5, 1986), ed. Ted Lee forArpanet distribution. System Z was originallypresented in issue 14 (June 22, 1986) of theForum, and additional responses appeared inissues 25 (September 23,1986), 27-29 (all October(all December 9, 1986),

1986), 26 {October 5,16, 1986), and 30-31

The second suggestion can also bedismissed, but not as easily since [3] seemsambivalent with respect to it. Hence, we readthat the rules are one of the model’s threemajor facets [3, p. 5], yet that the the SS-, *-, andds-properties constitute the “systemcharacteristics that we desire to be maintained”[3, pp. 11-12] and that the rules are merely“one specific solution”, a particular solution that“is in no sense unique, but has been specificallytailored for use with a Multics-basedinformation system design .’’[3, p. 19] Thoughthe rules are presented as being part of themodel, the concept of a solution implies thatthey are not part of the model in any senserelevant to our considerations. If one explicatesthe concept of a Cartesian point’s being fiveunits from the origin by requiring that the pointsatisfies the equation X2+y2 = 25 and gives (3,4)as a specific solution, we cannot conclude thatthe explication requires that any point (x,y) fiveunits from the origin must have the propertythat x+Y=7. Similarly, we cannot conclude fromthe particular solution Bell and LaPadula give,that a secure system must have any properties(beyond the properties of SS-, *-, and ds-

security) that the particular solution has.

Rather, the particular system they specifyserves as one example of a system thatprovably satisfies their definition of securesystem. This is meant to justify our belief thatthe specified system is secure in somemeaningful sense. Unfortunately, since systemZ is another system that satisfies theirdefinition of a secure system, the justification isunconvincing. Similarly, we cannot be sure thatany system does not contain security flaws asserious, if not as obvious, as those of system Zsimply because it satisfies the definition ofsecure system provided by the Bell-LaPadulamodel.

Perhaps the most compelling reason forbelieving that the Multics-based rules provideonly an example of a secure system and notfurther properties a secure system must have isthat no other reading of [3] makes sense of therelation between the definition of secure systemand the Multics-based solution. The definitionof a secure system and the particular solutiondon’t convey the same set of constraints so itmakes no sense to say that the two are differentexplications of security. Nor does it make senseto say that the rules are supposed to add

128

modes in which an element of S can haveaccess to an element of O.

Bell and LaPadula define a system state v asan element of V= (BxMxFxH), where

B is the set of current accesses and isequal to P ( SXO XA), with each of itselements denoted as b;

M is the access permission matrix, whereAZh4ij is the set of access modes subjecti may have to object j;

F is a subset of LL$’XLSXLO where each f~Fis a triple consisting of f 5 , the securitylevel (clearance) associated with eachsubject, fo, the security level(classification) associated with eachobject, and f c , the current security levelfor each subject, such that f ~ dominatesf c ;and

H defines the current object hierarchy andis of no concern here.

The set of requests (e. g,, to acquire orrescind access to objects) is denoted by R,and the set of decisions (e. g., yes, no, error) isdenoted by D . W GR XD XV XV represents theactions of the system: (r,d,vz ,V1) represents arequest r yielding a decision d and moving thesystem from state VI to V2. Letting T be the setof positive integers and X, Y, and Z the set offunctions from T to R, D, and V, respectively, asystem Z(R,D, W,ZO) is a su’}set of XXYXZ suchthat (x,y,z)e .X(R, D, W,ZO) if and only if(xt,Yt,zl,zt.l)e W for each teT, where Z. is theinitial state of the system. Each triple(x,Y,z)GZ(R,D, W,Zo) is called an appearance of thesystem, and each quadruple (’Xt, yt, Zt, Zt.l) is

called an action of the system.

The concept of a secure state is defined bythree properties: the simple security (ss-)property, the *-property, and the discretionarysecurity (ds-) property. A state satisfies thess-property if for each element of b that hasan access mode of read or write, the clearanceof the subject dominates (in the partial order)the classification of the object. A triple(s, o ,x) satisfies the ss-property relative to f(rel fi ifx isexecute or append, or if x is reador write and fs(s) dominates fo(o).

A state satisfies the *-property if for each(S,O ,x) in b, the current security level of s isequal to the classification of o if the access modeis write, dominates the classification of o if theaccess mode is read, and is dominated by theclassification of o if the access mode is append.The concept of a triple satisfying the *-propertyrel f is analogous to satisfying the ss-propertyrel f. A state is said to satisfy the *-property relative to s’, where S‘ CS, if thiscondition holds for all triples of b in which s= S‘.Subjects not in S‘ (and therefore not bound bythe *-property relative to S‘) are called trustedsubjects. It is worthwhile noting that since f~dominates fc the *-property implies the SS-

property.

A state satisfies the ds-property if, for eachmember of b, the specified access mode isincluded in the access matrix entry for thecorresponding subject-object pair. The conceptof a triple satisfying the ds-propert y rel M isanalogous to satisfying the ss-property rel f. Astate is secure if and only if it satisfies the ss-property, the *-property relative to S’, and theds-property.

In addition to restricting subjects fromhaving direct access to information for whichthey are not cleared, this concept of security isintended to prevent the unauthorized flow ofinformation from a higher security level to alower one. The *-property relative to S‘specifically prevents nontrusted subjects fromsimultaneously having read access toinformation at one level and write access toinformation at a lower level.

Bell and LaPadula introduce analogousconstraints on a system. A systemappearance (X,Y,Z)E .Z(R,D, W,Zo) satisfies the ss-property if each state in the sequence < zo,Zl,... >satisfies it. A system satisfies the ss-propertyif each of its appearances does. Analogousdefinitions introduce the notions of a systemsatisfying the *- and ds-properties and theconcept of a secure system. Theorems A1, A2,and A3 (see below), for the SS-, *-, and ds-properties, respectively, show that a systemZ(R,D, W,Zo) satisfies the property in questionfor any initial state that satisfies theproperty if and only if W (1) adds no newelements to b that would violate the propertyand (2) removes any elements that, following

125

the state change, would violate that property.The BST is presented without proof as acorollary of theorems Al, A2, and A3:

Basic Security Theorem: A systemZ(R ,D, W,Zo) is secure iff zo is a secure stateand W satisfies the conditions of theorems Al,A2, and A3 for each action.3

Theorem Al: Z(R,D, W,zo) satisfies the SS-property for any initial state zo that satisfiesthe ss-property iff W satisfies the followingconditions for each action(Ri~i,(b*,M”~,H*),(b,M ffl)):

(i) each (S, O,X)Gb* -b satisfies the ss-propertyrel P;

(ii) if (S,O,X)Gb does not satisfy the SS-property rel f*, then (s,o,x)e b*.

Theorem A2: .X(R ,D, W,ZO) satisfies the *-property relative to S‘ for any initial state zothat satisfies the *-property relative to S‘ iff Wsatisfies the following conditions for each action(Ri,Di,(b”,M*~,H*), (b,Mf&)):

(i) for each SES’, any (s, o,x)e b*-b satisfies the*-property with respect to p;

(ii)for each SE S’,if (S,O,X)Eb doesthe *-property with respect to(s,o,x)eb*.

not satisfyf *, then

Theorem A3: .X(R, D, W.ZO) satisfies the ds-property iff the initial state Z. satisfies the ds-pro~erty and W satisfies the following conditionfor each action (Ri,Di,(b* ,M* ~,H*),(b,Mf,H)]:

(i) if (sk,ol,x)eb *--b, then XEM*kl;

(ii) if (sk,ol,x}~b and xgM*kl, then (Sk,ol,x)g b*.

On the face of it the BST Iooks like what wewant, i, e,, an alternative formulation of securitygiven in terms of state transitions that we cancompare to the Bell -LaPadula model, but it’s—.. ————_—__

3In [3] an appearance satisfies the ss-propertyif each state in < Z1.Z2,... > satisfies the property;no restriction is placed on Zo. .Nevertheless,intent is clear since without this restriction,BST as stated in [31 is false. See [6].

thethe

not. The reason can be seen by examining A1-A3: the concept of a secure action (transform)is defined solely in terms of a secure state. Atransform can alter b, f, or M if the resultingstate does not violate security. Put more baldly,a transform is defined to be secure if it leads toa secure state. The trouble with the theorem asit stands is that if our definition of secure stateis wrong, our theorem is unaffected. In fact ithas been shown in [6] that the BST holds forany system as long as its state sequence isindexed in a way that supports induction. Thesystem can permit subjects to read up, writedown, or whatever. What we need to justify theBell-LaPadula model is an independentdefinition of security we can use to validate ourdefinition of a secure state.

4. A Reformulation of the Bell andLaPadula Model

In light of the inadequacy of the BST tojustify the Bell-LaPadula model, we mustdevelop an independent definition of securetransform or, in Bell and LaPadula’sterminology, of secure action. To this end,consider the following definitions:

Definition: A n action(Ri,Di,(b*,M*~,H* ),(b,M~,H)) is ss-secure iff

(i) if (s,r,o)eb*-b or (s,w,o)eb*~b, then fs(s)dominates fo(o), and (M* ~,H*)=(M$,H);

(ii) if fs(s)#fis(s), then (i) b does not containany triples of the form (s, r,o) or (s, w,o)where fo(o) is not dominated by ~ s(s), and(ii) .Po=fo,Pc=fc, and (b*,M*,H*)=(b,M,H);

(iii) if fo(o)#fio(o), then (i) b does not containany triples of the form (s, r,o) or (s, w,o)where ~ O(o ) is not dominated by fs(s) and(ii) f“s=fs,flc=fc, and (b*,M*,H*)=(b,M,H).

Definition: An action(Ri,Di,(b*,M*~ ,H*),(b,Mf,H)) is *-secure i@

(i) if (s,r,o)eb*-b [(s,w,o)cb*-b, (s,a,o)~b*-b],then fc(s) dominates fo(o) ~o(o) =fc(s), fo(o)dominates fc(s)], and (M*,fl ,H*)=(A4,f,H);

4For simplicity, we assume that no subjects aretrusted, i. e., that S’=S.

126

(ii) if ~c(s)#fl ~(s), then (1) b does not containany triples of the form (s,r,o) [(s,w,o), (s,a,o)]where f. ( o ) is not dominated ~c (s)~o(o)+pc($), PC(S) k not dominated byfo(o)l, and (2) F. =fo, f*s=fs, and(b*,M*&*)=(b,MJi);

(iii) if fo(o)#fio(o), then (1) b does not containany triples of the form (s,r,o) [(s,w,o), (s,a,o)]where f* o (o) is not dominated fc (s )

~ o(o) ~fc(s), fc(s) is not dominated byf“o(o)l and (2) flc=fc, f*s=fs, and(b*,M*ll*)=(b,M,H) .

Definition: action(Ri,Di,(b*,M*~,H* ),(b,MJ,H)) i~~s-secure Vf

(i) if (sx, @,oy)cb *-b, then @GMXy and(M*tPfl*)=(MfrH);

(ii) if @eMxy-M*xy, then (f*, H*)=(f,H) and{(sx,f$,oy)}cb-b* ;

(iii) if 4EMXY-M*XY or I#EM*xy-Mxy, then thesubject executing R i owns Oy and(b* fifi*)=(bfll).5

Definition: An action(Ri,Di,(b*,IkI* ,~,H*),(b,M,f,H)) is secure if it isss-secure, *-secure, and ds-secure.

It is worthwhile examining this definitionin detail. On the face of it, the set of secureactions is exactly the set of actions that meetthe conditions of the BST. This is partly correctin that a secure action always takes one securestate to another, as is proven in the followingtheorem.

Theorem: A system .Z(R,D ,W, zo) is secure if zois a secure state and each action(R@i,(b*,M*fl,H *),( b,Mtf,H))~ W is secure.

Proof: We prove the theorem by induction.Since Z. is secure by hypothesis, we can limitourselves to the case where z~ is secure and

—... ——...— ——————

5There is really no analogue to this condition inthe Bell-LaPadttla axioms, butintuitive requirement. Nothingdepends on secure actions having

it seems anin this paperthis property.

I27

show that Zn+1 must be secure. We show thisby proving that if W consists entirely of secureactions and if Zn is secure, then any action in Wapplied to Zn satisfies the conditions of the BST.Since, as noted in Section 3 above, the *-property implies the ss-property, A2 implies Also we only have to consider A2 and A3. For A2to be false, there must be a (s,o,x)e b * that failsto satisfy the *-property rel f*. Since z~ issecure by hypothesis, either (S, O,x) is a newaccess or f was changed by W so as to violate *-security. The latter is impossible since byclauses (ii) and (iii) of the definition of a *-secure action f can only be so altered if b * =band b is *-secure relative to p. Alternatively, if(s, o ,x) was added by W , clause (i) of thedefinition of a *-secure action guarantees that(s,o,x) is *-secure rel f=fl, and hence, that A2 istrue. For A3 to be false, there must be a(sk,o[,x)~ b* such that xe’M*kl. Since Zn is secureby hypothesis, either b*#b or M* kl#M kl. If theformer, then clause (i) of the definition of a ds -secure action guarantees that the added accessis secure relative to M*= M, and hence, that A3 istrue. If the latter, then an access must havebeen dropped from M. But clause (ii) of thedefinition of a ds-secure action guarantees thatthis same access must have been dropped fromb so A3 is again true, and we are done.~

Hence, secure actions applied to a securestate lead to a secure state, and in this respect,our definitions mirror the BST. However,although our definition of a secure actionsatisfies the if-clause of the BST, it fails the onlyif-clause. It’s not the case that any action thattakes a system from one secure state to anothersecure state is secure. As an example, considerthe system Z whose initial state is secure andthat has only one type of action:

When a subject s requests any type ofaccess to an object o, every subjectand object in the system isdowngraded to the lowest possiblelevel, permission is entered into theaccess matrix M , and the access isrecorded in the current access set b.

It is easy to see that system Z’s actions alwaysleads to a secure state (in the Bell-LaPadulasense) and hence that system Z is certifiablysecure by the lights of the Bell-LaPaduIa model.But though system Z satisfies the BST and the

Bell-LaPadula model’s definition of securesystem, it fails to satisfy the conditions requiredby our definition of a secure action. The factthat a definition of a secure system formulatedin terms of our definition of a secure action issupposed to explicate the same concept as Belland LaPadula’s definition shows that either theformer is too narrow or the latter is too wide.

The fact that system Z gives all subjectsaccess to all objects shows that it is the Bell-LaPadula model that is inadequate. In fact, itshould be clear that any explication of securitybased solely on the notion of a secure statemust fail for a similar reason. At best such anexplication can serve as a definition a secureinitial state. The concept of a secure systemmust be explicated as one whose initial state issecure and whose system transform is secure.

5. The Bell and LaPadula ModelReconsidered

When presented with system Z, some haveresponded with an attitude of “Who cares?”,while others have argued that the Bell-LaPadulamodel’s explication of security consists ofsomething more than the the model’s definitionof secure system and that this something morerules out systems such as z.6 With respect tothe latter, the suggestion is that the modelimplicitly includes the tranquility principle,which prohibits changing the security level ofan (active) object, or that it includes theparticular Multics-based rules given in [3]. Thefirst suggestion can easily be dismissed sincethe tranquility principle is clearly not part ofthe model as given in [3]. Not only is it notmentioned, it is violated by rule 11 of theMultics-based interpretation of the model. Thisis understandable since any model that did notpermit violations of tranquility would be tooconfining to be practical.

———_____________

6All responses to system Z considered in thissection are taken from Computer SecurityForum 5, 18 (July 5, 1986), ed. Ted Lee forArpanet distribution. System Z was originallypresented in issue 14 (June 22, 1986) of theForum, and additional responses appeared inissues 25 (September 23,1986), 27-29 (all October(all December 9, 1986).

1986), 26 {October 5,16, 1986), and 30-31

128

The second suggestion can also bedismissed, but not as easily since [3] seemsambivalent with respect to it. Hence, we readthat the rules are one of the model’s threemajor facets [3, p. 5], yet that the the SS-, *-, andds-properties constitute the “systemcharacteristics that we desire to be maintained”[3, pp. 11-12] and that the rules are merely“one specific solution”, a particular solution that“is in no sense unique, but has been specificallytailored for use with a Multics-basedinformation system design .”[3, p. 19] Thoughthe rules are presented as being part of themodel, the concept of a solution implies thatthey are not part of the model in any senserelevant to our considerations. If one explicatesthe concept of a Cartesian point’s being fiveunits from the origin by requiring that the pointsatisfies the equation X2+Y2=25 and gives (3,4)as a specific solution, we cannot conclude thatthe explication requires that any point (x,y) fiveunits from the origin must have the propertythat x+y=7. Similarly, we cannot conclude fromthe particular solution Bell and LaPadula give,that a secure system must have any properties(beyond the properties of SS-, *-, and ds-security) that the particular solution has.

Rather, the particular system they specifyserves as one example of a system thatprovably satisfies their definition of securesystem. This is meant to justify our belief thatthe specified system is secure in somemeaningful sense. Unfortunately, since systemZ is another system that satisfies theirdefinition of a secure system, the justification isunconvincing. Similarly, we cannot be sure thatany system does not contain security flaws asserious, if not as obvious, as those of system Zsimply because it satisfies the definition ofsecure system provided by the Bell-LaPadulamodel.

Perhaps the most compelling reason forbelieving that the Multics-based rules provideonly an example of a secure system and notfurther properties a secure system must have isthat no other reading of [3] makes sense of therelation between the definition of secure systemand the Multics-based solution. The definitionof a secure system and the particular solutiondon’t convey the same set of constraints so itmakes no sense to say that the two are differentexplications of security. Nor does it make senseto say that the rules are supposed to add

additional constraints that a secure system mustmeet. For one thing, their Multics orientationmakes them too restrictive to serve thispurpose [3, pp. 20-25], and for another, on thisinterpretation the Bell-LaPadula definition ofsecure system would serve no purpose. Itwould be redundant since any system thatmeets the conditions implicit in the rulessatisfies the definition. Finally, thisinterpretation does not do justice to the text. Ifthe rules were to be included in the concept ofbeing a secure system, then the definition ofsuch a system would say that it must satisfy theSs-, *-, and ds-securit y properties and the rules,the BST would have to include the rules, etc.

The only alternative is our view that theBell-LaPadula definition of secure system issupposed to provide all the security-relevantconstraints such a system must meet. Andthough system Z shows that this view isuntenable, it is, in fact, the only option thatmakes sense. Those who accept this view yetare still complacent about system Z seem toview the Bell-LaPadula model as only aframework for representing systems, ratherthan as a criterion that secure systems shouldconform to. In this view showing that a systemconforms to the model says nothing aboutwhether the system is secure. Ignoring thequestion of why we need such a complicatedframework for modeling systems and thequestion of whether this claim makes sense inlight of the prominent role played by thedefinition of secure system in the model, we canstill say that this view certainly runs counter tothe way the model is generally regarded by thecomputer security community.7 If nothing else,

the fact that there can be so much disagreementover something so established and sofundamental is sufficient to cause concern and

7See, e. g., [8, pp. 64-65, 89, 111] which all butrequires that a formal security policy modelused for formal design verification be state-based ii la the Bell-LaPadula model, and whichstates both that such design verification “caneffectively protect classified or other sensitiveinformation stored or processed by the system”and that “the *-property is sufficient to preventthe compromise of information by Trojan Horseattack s.” System Z shows that both claims arefalse.

provide ample reason for dismissing a responseof “Who cares?”.

6. Foundations for Computer Security

Several comments are in order. First, asnoted above, the definitions of secure actionsare more restrictive than what is required bythe Bell-LaPadula model. Some of themcould change without violating security. Forexample, part (ii) of the definition for ds -security could prohibit subjects from removingpermissions to their files if it meant removing acurrent access. However, though such a changealters the flavor of our concept of security, itdoes not yield a strikingly different one. A moresignificant change would be to follow [9] andintroduce a system security officer and theconcept of a role, such as downgrade. Suchpossible changes may be necessary (see below)and, at the least, raise the question of why weprefer one formulation over another.

Second, we must decide where the originalBell-LaPadula model fits in. For a system to besecure, its actions must be secure by thedefinitions given above, and its initial statemust meet the definition of a secure stategiven by Bell and LaPadula. However, thisleaves us with a hybrid definition of securityand not two separate definitions we cancompare. Further, it should be clear that noexplication of security can be based solely onthe notion of a secure transition. The concept ofa secure initial state is always required.

The last statement is the rub. System Zshows that no adequate explication of securitycan be based solely on the notion of a securestate, and we have just seen that there can beno adequate explication based solely on thenotion of a secure transition. Hence, our originalplan of comparing two explications of security,though successful in showing an inadequacy inthe Bell-LaPadula Model, ultimately fails. Ourhybrid approach may be adequate, but we haveno alternative explication to compare wi~h it.We can appeal to intuition, but such appeals areinsufficient, especially in light of weaknessesdisplayed in the intuitively correct Bell-LaPadula Model. In fact, since neither modelhas a system security officer, our reformulationshares with the original model what, to mytaste, is an allf~ and f.. The

too cavalier approach to alteringability to raise a subject’s f~ as

129

long as it has no current accesses or lower anobject’s f. as long as no subject is currentlyaccessing it can obviously lead to securitybreeches. Even the ability to alter fc isunsettling. If processes have no memory, thenthe *-property is too restrictive since there is noneed to prohibit a write down as long as nothingis concurrently being read on a higher level. Ifprocesses have memory, freely lowering fc

obviously presents problems. g

The moral may be that we should changetactics. Instead of searching for some Platonicform of security, it may be time to realize thatthere are several concepts of security thatbear only, to use Wittgenstein’s phrase, a familyresemblance to each other. If this is correct, ourtask should be to look at each applicationseparately where our intuitions are morereliable and explicate the concept of securityrelevant to it [9].

In any event, it is certainly time for thecomputer security community to begin athorough examination of our foundations. TheBell-LaPadula model was a monumental piece ofwork, but it has lived in an overly shelteredenvironment which has permitted it to survivebeyond its rightful time. Like a pamperedoffspring, it has endured, not because it is fit,but because it has been protected from harm.

As it is presented in [3], the model isinadequate to bear the weight the computersecurity community has placed on it, and thosewho insist on its soundness have conflictingviews of it which are inconsistent with [3].Hence, we have developed an environmentwhere our documented foundations areinadequate, yet shielded from adversity byappeals to implicit assumptions “whicheverybody knows about” (even if peopledisagree on what these assumptions are!). Suchan environment prevents the examination ofthe foundations that actually underlie oursystems and will eventually impede the

———-————-—————

8I first heard this point from Debbie Cooper.The only interpretation of the *-property I canthink of that makes sense is if we assume thatprocesses can remember things, but only untiltheir current security level changes. Even then,the property should only prohibit writing to alower level than a previous read.

development of new systems. Until the implicitfoundations many in the computer securitycommunity claim to exist are documented andsubjected to critical scrutiny, our faith in oursystems will be unjustified. Perhaps worse, wewill be doomed to a cycle where as practitionersretire, the assumptions that “everybody knows”will be forgotten, leaving only the informationcontained in the false publications, and thenrediscovered as our new systems fail, only to beforgotten again. Such is the path to neitherscience nor security.

Acknowledgments

I wish to thank Carl Landwehr for his commentson an earlier draft of this paper and all thosewho contributed their thoughts on system Z toComputer Security Forum 5. Of the latter, Iespecially wish to thank Don Good for somemuch appreciated encouragement and for whatI learned from his insightful contribution toissue 27.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

I30

References

L. Wittgenstein, Philosophical Investigations(translated by G. E. M. Anscombe), TheMacmillan Company, New York, 1953.

G. Frege, The Foundations of Arithmetic(translated by J. L. Austin), NorthwesternUniversity Press, Evanston, 1968.D. E. Bell and L. J. LaPadula, Securecomputer system: unified exposition andMultics interpretation, MITRE MTR-2997,Mar. 1976. Available as NTIS AD-A023588.

C. E. Landwehr, Best available technologiesfor computer security, IEEE Computer, Jul.1983.

Panel session on Bell-LaPadula andalternative models of security, S. B.Lipner moderator, IEEE Symposium onSecurity and Privacy, Apr. 1983.

J. McLean, A comment on the “Basic SecurityTheorem” of Bell and LaPadula, InformationProcessing Letters 20 (1985), 67-70.

J. McLean, C. E. Landwehr, and C. L.Heitmeyer, A formal statement of the MMSsecurity model, Proc. 1984 Symposium onSecurity and Privacy, IEEE Computer SocietyPress, 1984.

[8] Department of Defense Trusted ComputerSystem Evaluation Criteria, CSC-STD-001 -83,National Computer Security Center, Ft.Meade, MD, Aug. 1983.

[9] C. E. Landwehr, C. L. Heitmeyer, and J.I’vicLean, A security model for militarymessage systems, Transactions on ComputerSystems 2, 3 (Aug. 1984), 198-222.

131