The Bell-LaPadula Model · Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that no transition leads

The Bell-LaPadula ModelCSM27 Computer Security

Dr Hans Georg Schaathun

University of Surrey

Autumn 2007

Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 1 / 25

The session

Session objectives

Be able to use the principle of finite automata to describe securitymodels.Understand the confidentiality policy of Bell-LaPadulaUnderstand the limitations of Bell-LaPadula


Finite Automata

A finite automata

state-machine ≈ automataA set of states, QAn input alphabet Σ

labels for the state transitions

inital state q0 ∈ Qaccepting states A ⊂ Qtransition function δ : Q × Σ → Q

equivalent to the edges (arrows)

0 1

2 3

4 5

0

0 1

0

1

1

10

0

1

1

0


Finite Automata

A finite automata

A state can be good or badsecure or insecure

Transitions from good to badstates are dangerous.Two criteria

Start state be secureNo transition from secure toinsecure

0 1

2 3

4 5

0

0 1

0

1

1

10

0

1

1

0


Finite Automata

A finite automata




0 1

2 3

4 5

0

0 1

0

1

1

10

0

1

1

0


Finite Automata

A finite automata




0 1

2 3

4 5

0

0 1

0

1

1

11

00

1

1

0


Bell-LaPadula

The principle of an automata model

1 Describe all secure states2 Describe transitions from secure states3 Prove that no transition leads from secure to insecure

If this is possible, the system is provably secure.Bell-LaPadula is one description of secure states.

Similar principles apply to e.g. database developmentDatabase has to be maintained in a consistent stateNo operation (transition) allowed to bring the database to aninconsistent state


Bell-LaPadula

Elements of Access Control

a set of subjects Sa set of objects Oset of access operations A = {execute,read,append,write}A set of security levels L, with a partial ordering ≤


Bell-LaPadula

The State Set

A state : (b, M, f ), includesAccess operations currently in use b

List of tuples (s, o, a), s ∈ S, o ∈ O, a ∈ A.Access permission matrix

M = (Ms,o)s∈S,o∈O , where Ms,o ⊂ AClearance and classification f = (fS, fC , fO)

fS : S → L maximal security level of a subjectfC : S → L current security level of a subject (fC ≤ fS)fO : O → L classification of an object


Security Properties

Simple Security Property (SS-property)

A state (b, M, f ) satisfies the SS-property if∀(s, o, a) ∈ b, such that a ∈ {read,write}fO(o) ≤ fS(s)

I.e. a subject can only observe objects of lower classification


Security Properties

What about write access?

What policy do we need for write access?Integrity: no write-up (to higher security levels)Confidentiality: no write-down (to lower security levels)Bell-LaPadula concerns confidentialitySubject must not transmit messages to subjects at lower levelsCurrent security level allows communications

A subject has to be downgraded to send messagesBecause subjects are computer programs

they can be made to forget their knowledge when downgraded


Security Properties






Security Properties






Security Properties






Security Properties






Security Properties






Security Properties

*-property

A state (b, M, f ) satisfies the *-property if∀(s, o, a) ∈ b, such that a ∈ {append,write}fC(s) ≤ fO(o)

andif ∃(s, o, a) ∈ b where a ∈ {append,write},then ∀o′, a′ ∈ {read,write}, such that (s, o′, a′) ∈ bfO(o′) ≤ fO(o)

I.e. a subject can only alter objects of higher classification,and cannot read a high-level object while writing to a low-levelobject.


Security Properties

Discretionary Security Property

Previous security properties provide Mandatory Access Controli.e. a centrally defined access policy

The security levels are defined by a central policyDiscreationary Access Control (DAC) decentralises the controlThe access control matrix M allows DAC in Bell-LaPadula

A state (b, M, f ) satisfies the DS-property if∀(s, o, a) ∈ ba ∈ Ms,o.


Security Properties






Security Properties






Security Properties






Limitations

The Criticism of McLean

What happens if we . . .downgrade all subjects to lowest security leveldowngrade all objects to lowest security levelenter all access rights in the ACM M

Is the system secure?It satisfies every security property of BLP!


Limitations

The Criticism of McLean

What happens if we . . .downgrade all subjects to lowest security leveldowngrade all objects to lowest security levelenter all access rights in the ACM M

Is the system secure?It satisfies every security property of BLP!


Limitations

The sides of the conflict

A system which can be brought to a state with norestrictions cannot be secure.

McLean

This is application dependent. If the users need it, itshould be possible. Otherwise it should not be implemented.

Bell


Limitations

Tranquility

McLean’s scenario is really out of scope for BLPBLP considered tranquil systems,

where permissions do not changeEither a system or an operation may be tranquil

A tranquil operation does not change access rights.A tranquil system has no non-tranquil operations.

Tranquility is a particular concern whenoperation tries to remove an access right currently in useHow should this be resolved?


Limitations

Covert Channels

Low-level subject sl creates object oHigh-level accomplice sh either

reclassifies o to its own level (Message 1)leaves o unchanged (Message 0)

sl tries to access o, which is eithersuccess (Message 0)access denied (Message 1)

One bit of information is transmitted sh → sl


Limitations

Covert Channels






Limitations

Covert Channels






Limitations

Covert Channels






Limitations

Limitations

BLP’s concern is confidentialitylimits the access and sharing of informationno integrity policyno availability policy

BLP assumes a fixed rightsassumes tranquilityno model for access managementno model for policy making

Allows Covert Channels


Multics

What and when was Multics?

Massive research project in early 70-sObjective: Secure, reliable, etc multiuser OS

i.e. Multics

The Bell-LaPadula model was a result of the researchThe ambitions made Multics too heavy-weight for most

Unix is a spin-off by some project memberssimpler and more user-friendly,


Multics

Objects

Objects : memory segments, I/O devices, et c.hierarchically organised in directory treeinformation stored in parent directory

Access Control List (ACL) representing MSecurity level (classification) fO

Access to an object traverses path from rootAccess requires access to all ancestorsLow-level object in high-level directory makes little sense

Compatibility: Every object has security-level dominating that ofthe parent directory


Multics

Objects






Multics

Objects






Multics

Subjects

Subject = processDescriptor segment describes the process, its rights, and itsaccessesSegment Descriptor Word (SDW) [representing b] for each objectcurrently accessed

segment-id ptr r: on e: off w: one

fC : Current-level tablefS : Process-level tableactive segment table : which processes are active


Multics

Translating policies

Every parameter of the BLP statehas a representation in Multics data fields

Security policies can be rephrased,referring to Multics data fields


Multics

Translating policies

Every parameter of the BLP statehas a representation in Multics data fields

Security policies can be rephrased,referring to Multics data fields


Multics

Example: The SS-property


Multics

Kernel primitives

Kernel primitives ∼ state transitionsrelease_readgive_readcreate_objectdelete_objectrevoke_readchange_subject_current_security_level

Ideally CPU instructions and OS kernel primitives match


Multics

Kernel primitive: get_read

Example: get_readSubject s wants to read object oso s asks OS to add (s, o,read) to b

The OS has to check this with the security policy, i.e.The ACL of o includes (s,read)fO(o) ≤ fS(s)Either

fO ≤ fC(s); orSubject s is trusted.

Access permitted if and only if all three conditions are met.


Conclusion

Multics and security models

The state-machine is an effective model of a computer systemBell-LaPadula describes secure states and transisionsIf all transitions (and starting state) are secure, the system has tobe secureIn multics,

data-fields correspond to state parameterskernel primitives correspond to transitions


Conclusion

Exercise sheet

Write a short essay stating your position in the Bell vs McLeandebate.

It is helpful to address as many of the strengths and weeknesses ofBLP as possible, in order to build an argument for your view.Suggested length 1

2 -2 pages. Longer is not necessarily better.


Documents

The Bell-LaPadula Model · Bell-LaPadula The principle of an automata model 1 Describe all secure states 2 Describe transitions from secure states 3 Prove that no transition leads