Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
The Bell-LaPadula ModelCSM27 Computer Security
Dr Hans Georg Schaathun
University of Surrey
Autumn 2007
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 1 / 25
The session
Session objectives
Be able to use the principle of finite automata to describe securitymodels.Understand the confidentiality policy of Bell-LaPadulaUnderstand the limitations of Bell-LaPadula
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 2 / 25
Finite Automata
A finite automata
state-machine ≈ automataA set of states, QAn input alphabet Σ
labels for the state transitions
inital state q0 ∈ Qaccepting states A ⊂ Qtransition function δ : Q × Σ → Q
equivalent to the edges (arrows)
0 1
2 3
4 5
0
0 1
0
1
1
10
0
1
1
0
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 3 / 25
Finite Automata
A finite automata
A state can be good or badsecure or insecure
Transitions from good to badstates are dangerous.Two criteria
Start state be secureNo transition from secure toinsecure
0 1
2 3
4 5
0
0 1
0
1
1
10
0
1
1
0
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 4 / 25
Finite Automata
A finite automata
A state can be good or badsecure or insecure
Transitions from good to badstates are dangerous.Two criteria
Start state be secureNo transition from secure toinsecure
0 1
2 3
4 5
0
0 1
0
1
1
10
0
1
1
0
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 4 / 25
Finite Automata
A finite automata
A state can be good or badsecure or insecure
Transitions from good to badstates are dangerous.Two criteria
Start state be secureNo transition from secure toinsecure
0 1
2 3
4 5
0
0 1
0
1
1
11
00
1
1
0
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 4 / 25
Bell-LaPadula
The principle of an automata model
1 Describe all secure states2 Describe transitions from secure states3 Prove that no transition leads from secure to insecure
If this is possible, the system is provably secure.Bell-LaPadula is one description of secure states.
Similar principles apply to e.g. database developmentDatabase has to be maintained in a consistent stateNo operation (transition) allowed to bring the database to aninconsistent state
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 5 / 25
Bell-LaPadula
Elements of Access Control
a set of subjects Sa set of objects Oset of access operations A = {execute,read,append,write}A set of security levels L, with a partial ordering ≤
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 6 / 25
Bell-LaPadula
The State Set
A state : (b, M, f ), includesAccess operations currently in use b
List of tuples (s, o, a), s ∈ S, o ∈ O, a ∈ A.Access permission matrix
M = (Ms,o)s∈S,o∈O , where Ms,o ⊂ AClearance and classification f = (fS, fC , fO)
fS : S → L maximal security level of a subjectfC : S → L current security level of a subject (fC ≤ fS)fO : O → L classification of an object
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 7 / 25
Security Properties
Simple Security Property (SS-property)
A state (b, M, f ) satisfies the SS-property if∀(s, o, a) ∈ b, such that a ∈ {read,write}fO(o) ≤ fS(s)
I.e. a subject can only observe objects of lower classification
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 8 / 25
Security Properties
What about write access?
What policy do we need for write access?Integrity: no write-up (to higher security levels)Confidentiality: no write-down (to lower security levels)Bell-LaPadula concerns confidentialitySubject must not transmit messages to subjects at lower levelsCurrent security level allows communications
A subject has to be downgraded to send messagesBecause subjects are computer programs
they can be made to forget their knowledge when downgraded
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 9 / 25
Security Properties
What about write access?
What policy do we need for write access?Integrity: no write-up (to higher security levels)Confidentiality: no write-down (to lower security levels)Bell-LaPadula concerns confidentialitySubject must not transmit messages to subjects at lower levelsCurrent security level allows communications
A subject has to be downgraded to send messagesBecause subjects are computer programs
they can be made to forget their knowledge when downgraded
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 9 / 25
Security Properties
What about write access?
What policy do we need for write access?Integrity: no write-up (to higher security levels)Confidentiality: no write-down (to lower security levels)Bell-LaPadula concerns confidentialitySubject must not transmit messages to subjects at lower levelsCurrent security level allows communications
A subject has to be downgraded to send messagesBecause subjects are computer programs
they can be made to forget their knowledge when downgraded
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 9 / 25
Security Properties
What about write access?
What policy do we need for write access?Integrity: no write-up (to higher security levels)Confidentiality: no write-down (to lower security levels)Bell-LaPadula concerns confidentialitySubject must not transmit messages to subjects at lower levelsCurrent security level allows communications
A subject has to be downgraded to send messagesBecause subjects are computer programs
they can be made to forget their knowledge when downgraded
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 9 / 25
Security Properties
What about write access?
What policy do we need for write access?Integrity: no write-up (to higher security levels)Confidentiality: no write-down (to lower security levels)Bell-LaPadula concerns confidentialitySubject must not transmit messages to subjects at lower levelsCurrent security level allows communications
A subject has to be downgraded to send messagesBecause subjects are computer programs
they can be made to forget their knowledge when downgraded
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 9 / 25
Security Properties
What about write access?
What policy do we need for write access?Integrity: no write-up (to higher security levels)Confidentiality: no write-down (to lower security levels)Bell-LaPadula concerns confidentialitySubject must not transmit messages to subjects at lower levelsCurrent security level allows communications
A subject has to be downgraded to send messagesBecause subjects are computer programs
they can be made to forget their knowledge when downgraded
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 9 / 25
Security Properties
*-property
A state (b, M, f ) satisfies the *-property if∀(s, o, a) ∈ b, such that a ∈ {append,write}fC(s) ≤ fO(o)
andif ∃(s, o, a) ∈ b where a ∈ {append,write},then ∀o′, a′ ∈ {read,write}, such that (s, o′, a′) ∈ bfO(o′) ≤ fO(o)
I.e. a subject can only alter objects of higher classification,and cannot read a high-level object while writing to a low-levelobject.
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 10 / 25
Security Properties
Discretionary Security Property
Previous security properties provide Mandatory Access Controli.e. a centrally defined access policy
The security levels are defined by a central policyDiscreationary Access Control (DAC) decentralises the controlThe access control matrix M allows DAC in Bell-LaPadula
A state (b, M, f ) satisfies the DS-property if∀(s, o, a) ∈ ba ∈ Ms,o.
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 11 / 25
Security Properties
Discretionary Security Property
Previous security properties provide Mandatory Access Controli.e. a centrally defined access policy
The security levels are defined by a central policyDiscreationary Access Control (DAC) decentralises the controlThe access control matrix M allows DAC in Bell-LaPadula
A state (b, M, f ) satisfies the DS-property if∀(s, o, a) ∈ ba ∈ Ms,o.
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 11 / 25
Security Properties
Discretionary Security Property
Previous security properties provide Mandatory Access Controli.e. a centrally defined access policy
The security levels are defined by a central policyDiscreationary Access Control (DAC) decentralises the controlThe access control matrix M allows DAC in Bell-LaPadula
A state (b, M, f ) satisfies the DS-property if∀(s, o, a) ∈ ba ∈ Ms,o.
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 11 / 25
Security Properties
Discretionary Security Property
Previous security properties provide Mandatory Access Controli.e. a centrally defined access policy
The security levels are defined by a central policyDiscreationary Access Control (DAC) decentralises the controlThe access control matrix M allows DAC in Bell-LaPadula
A state (b, M, f ) satisfies the DS-property if∀(s, o, a) ∈ ba ∈ Ms,o.
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 11 / 25
Limitations
The Criticism of McLean
What happens if we . . .downgrade all subjects to lowest security leveldowngrade all objects to lowest security levelenter all access rights in the ACM M
Is the system secure?It satisfies every security property of BLP!
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 12 / 25
Limitations
The Criticism of McLean
What happens if we . . .downgrade all subjects to lowest security leveldowngrade all objects to lowest security levelenter all access rights in the ACM M
Is the system secure?It satisfies every security property of BLP!
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 12 / 25
Limitations
The sides of the conflict
A system which can be brought to a state with norestrictions cannot be secure.
McLean
This is application dependent. If the users need it, itshould be possible. Otherwise it should not be implemented.
Bell
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 13 / 25
Limitations
Tranquility
McLean’s scenario is really out of scope for BLPBLP considered tranquil systems,
where permissions do not changeEither a system or an operation may be tranquil
A tranquil operation does not change access rights.A tranquil system has no non-tranquil operations.
Tranquility is a particular concern whenoperation tries to remove an access right currently in useHow should this be resolved?
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 14 / 25
Limitations
Covert Channels
Low-level subject sl creates object oHigh-level accomplice sh either
reclassifies o to its own level (Message 1)leaves o unchanged (Message 0)
sl tries to access o, which is eithersuccess (Message 0)access denied (Message 1)
One bit of information is transmitted sh → sl
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 15 / 25
Limitations
Covert Channels
Low-level subject sl creates object oHigh-level accomplice sh either
reclassifies o to its own level (Message 1)leaves o unchanged (Message 0)
sl tries to access o, which is eithersuccess (Message 0)access denied (Message 1)
One bit of information is transmitted sh → sl
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 15 / 25
Limitations
Covert Channels
Low-level subject sl creates object oHigh-level accomplice sh either
reclassifies o to its own level (Message 1)leaves o unchanged (Message 0)
sl tries to access o, which is eithersuccess (Message 0)access denied (Message 1)
One bit of information is transmitted sh → sl
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 15 / 25
Limitations
Covert Channels
Low-level subject sl creates object oHigh-level accomplice sh either
reclassifies o to its own level (Message 1)leaves o unchanged (Message 0)
sl tries to access o, which is eithersuccess (Message 0)access denied (Message 1)
One bit of information is transmitted sh → sl
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 15 / 25
Limitations
Limitations
BLP’s concern is confidentialitylimits the access and sharing of informationno integrity policyno availability policy
BLP assumes a fixed rightsassumes tranquilityno model for access managementno model for policy making
Allows Covert Channels
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 16 / 25
Multics
What and when was Multics?
Massive research project in early 70-sObjective: Secure, reliable, etc multiuser OS
i.e. Multics
The Bell-LaPadula model was a result of the researchThe ambitions made Multics too heavy-weight for most
Unix is a spin-off by some project memberssimpler and more user-friendly,
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 17 / 25
Multics
Objects
Objects : memory segments, I/O devices, et c.hierarchically organised in directory treeinformation stored in parent directory
Access Control List (ACL) representing MSecurity level (classification) fO
Access to an object traverses path from rootAccess requires access to all ancestorsLow-level object in high-level directory makes little sense
Compatibility: Every object has security-level dominating that ofthe parent directory
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 18 / 25
Multics
Objects
Objects : memory segments, I/O devices, et c.hierarchically organised in directory treeinformation stored in parent directory
Access Control List (ACL) representing MSecurity level (classification) fO
Access to an object traverses path from rootAccess requires access to all ancestorsLow-level object in high-level directory makes little sense
Compatibility: Every object has security-level dominating that ofthe parent directory
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 18 / 25
Multics
Objects
Objects : memory segments, I/O devices, et c.hierarchically organised in directory treeinformation stored in parent directory
Access Control List (ACL) representing MSecurity level (classification) fO
Access to an object traverses path from rootAccess requires access to all ancestorsLow-level object in high-level directory makes little sense
Compatibility: Every object has security-level dominating that ofthe parent directory
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 18 / 25
Multics
Subjects
Subject = processDescriptor segment describes the process, its rights, and itsaccessesSegment Descriptor Word (SDW) [representing b] for each objectcurrently accessed
segment-id ptr r: on e: off w: one
fC : Current-level tablefS : Process-level tableactive segment table : which processes are active
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 19 / 25
Multics
Translating policies
Every parameter of the BLP statehas a representation in Multics data fields
Security policies can be rephrased,referring to Multics data fields
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 20 / 25
Multics
Translating policies
Every parameter of the BLP statehas a representation in Multics data fields
Security policies can be rephrased,referring to Multics data fields
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 20 / 25
Multics
Example: The SS-property
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 21 / 25
Multics
Kernel primitives
Kernel primitives ∼ state transitionsrelease_readgive_readcreate_objectdelete_objectrevoke_readchange_subject_current_security_level
Ideally CPU instructions and OS kernel primitives match
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 22 / 25
Multics
Kernel primitive: get_read
Example: get_readSubject s wants to read object oso s asks OS to add (s, o,read) to b
The OS has to check this with the security policy, i.e.The ACL of o includes (s,read)fO(o) ≤ fS(s)Either
fO ≤ fC(s); orSubject s is trusted.
Access permitted if and only if all three conditions are met.
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 23 / 25
Conclusion
Multics and security models
The state-machine is an effective model of a computer systemBell-LaPadula describes secure states and transisionsIf all transitions (and starting state) are secure, the system has tobe secureIn multics,
data-fields correspond to state parameterskernel primitives correspond to transitions
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 24 / 25
Conclusion
Exercise sheet
Write a short essay stating your position in the Bell vs McLeandebate.
It is helpful to address as many of the strengths and weeknesses ofBLP as possible, in order to build an argument for your view.Suggested length 1
2 -2 pages. Longer is not necessarily better.
Dr Hans Georg Schaathun The Bell-LaPadula Model Autumn 2007 25 / 25