The Bell-Lapadula model of protection systems deals with the control of information flow. Each subject has a clearance and each object has a classification which attaches it to a security level. Access rights given to a subject are the following: Read-Only: The subject can only read the object.
The Bell-Lapadula model of protection systems deals with the control of information flow. Each subject has a clearance and each object has a classification which attaches it to a security level. Access rights given to a subject are the following: Read-Only: The subject can only read the object.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOC, PDF, TXT or read online from Scribd
The Bell-Lapadula model of protection systems deals with the control of information flow. Each subject has a clearance and each object has a classification which attaches it to a security level. Access rights given to a subject are the following: Read-Only: The subject can only read the object.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOC, PDF, TXT or read online from Scribd
The Bell-Lapadula Model of protection systems deals with the
control of information flow. It is a linear non-discretionary model. This model of protection consists of the following components:
• A set of subjects, a set of objects, and an access control
matrix. • Several ordered security levels. Each subject has a clearance and each object has a classification which attaches it to a security level. Each subject also has a current clearance level which does not exceed its clearance level. Thus a subject can only change to a clearance level below its assigned clearance level.
The set of access rights given to a subject are the following:
• Read-Only: The subject can only read the object.
• Append : The subject can only write to the object but it cannot read. • Execute : The subject can execute the object but can neither read nor write. • Read-Write: The subject has both read and write permissions to the object.
Control Attribute: This is an attribute given to the subject that
creates an object. Due to this, the creator of an object can pass any of the above four access rights of that object to any subject. However, it cannot pass the control attribute itself. The creator of an object is also known as the controller of that object.
Restrictions imposed by the Bell-Lapadula Model:
The following restrictions are imposed by the model:
• reading down: A subject has only read access to objects
whose security level is below the subject's current clearance level. This prevents a subject from getting access to information available in security levels higher than its current clearance level. • writing up: A subject has append access to objects whose security level is higher than its current clearance level. This prevents a subject from passing information to levels lower than its current level.
The Bell-Lapadula model supplements the access matrix with the
above restrictions to provide access control and information flow. For instance, if a subject has read access to an object in the access matrix, it may still not be able to exercise this right if the object is at a security level higher than its clearance level. Bell and Lapadula modeled the behavior of a protection system as a finite state machine and defined a set of state transitions that would not violate the security of the system. The following operations gaurantee a secure system:
• get access: Used by a subject to initiate access to an object
(read, append, execute etc ) • release access: Used by a subject to giveup an initiated access. • give access: Controller of an object can give a particular access (to that object) to a subject. • rescind access: Controller of an object can revoke a designated access ( to that object) from a subject. • create object: Allows a subject to activate an inactive object. • delete object: Allows a subject to deactivate an active object. • change security level:Allows a subject to change its clearance level ( below an initial assigned value)
However certain conditions have to be satisfied before the above
operations can be performed. For instance, a subject can exercise give and rescind rights to an object only if it has control attributes to that object.
Bell-Lapadula is a simple linear model that exercises access and
information flow control through the above restrictive properties and operations. However, it has a disadvantage of security levels of objects being static. The properties of this model might become too restrictive in cases when certain operations are outside the context of protection system.
Questions
1) What is the effect of reading down and writing up restrictions
imposed by the Bell-Lapadula model?
2) Why is a subject's current clearance level only lower than its
initial assigned clearance level ?
3) Write down the conditions to be satisfied for each of the seven
operations to be executed.
4) Why is the Bell-Lapadula model a non-discretionary one?
References
Singhal,M. and Shivaratri,N.: Advanced Concepts in Operating
Systems , McGraw-Hill, 1994.
Peterson,J.L. and Silberschatz,A.: Operating System Concepts, 2nd
Discretionary access control mechanisms, while generally e_ective, have certain weaknesses. In particular they are susceptible to Trojan horse schemes whereby a devious Security 509 unauthorized user can trick an authorized user into disclosing sensitive data. For example, suppose that student Tricky Dick wants to break into the grade tables of instructor Trustin Justin. Dick does the following: He creates a new table called MineAllMine and gives INSERT privileges on this table to Justin (who is blissfully unaware of all this attention, of course). He modi_es the code of some DBMS application that Justin uses often to do a couple of additional things: _rst, read the Grades table, and next, write the result into MineAllMine. Then he sits back and waits for the grades to be copied into MineAllMine and later undoes the modi_cations to the application to ensure that Justin does not somehow _nd out later that he has been cheated. Thus, despite the DBMS enforcing all discretionary access controls|only Justin's authorized code was allowed to access Grades|sensitive data is disclosed to an intruder. The fact that Dick could surreptitiously modify Justin's code is outside the scope of the DBMS's access control mechanism. Mandatory access control mechanisms are aimed at addressing such loopholes in discretionary access control. The popular model for mandatory access control, called the Bell-LaPadula model, is described in terms of objects (e.g., tables, views, rows, columns), subjects (e.g., users, programs), security classes, and clearances. Each database object is assigned a security class, and each subject is assigned clearance for a security class; we will denote the class of an object or subject A as class(A). The security classes in a system are organized according to a partial order, with a most secure class and a least secure class. For simplicity, we will assume that there are four classes: top secret (TS), secret (S), con_dential (C), and unclassi_ed (U). In this system, TS > S > C > U, where A > B means that class A data is more sensitive than class B data. The Bell-LaPadula model imposes two restrictions on all reads and writes of database objects: 1. Simple Security Property: Subject S is allowed to read object O only if class(S) _ class(O). For example, a user with TS clearance can read a table with C clearance, but a user with C clearance is not allowed to read a table with TS classi_- cation. 2. *-Property: Subject S is allowed to write object O only if class(S) _ class(O). For example, a user with S clearance can only write objects with S or TS classi_cation. If discretionary access controls are also speci_ed, these rules represent additional restrictions.
Thus, to read or write a database object, a user must
have the necessary privileges (obtained via GRANT commands) and the security classes of the user and the object must satisfy the preceding restrictions. Let us consider how such a mandatory 510 Chapter 17 control mechanism might have foiled Tricky Dick. The Grades table could be classi _ed as S, Justin could be given clearance for S, and Tricky Dick could be given a lower clearance (C). Dick can only create objects of C or lower classi_cation; thus, the table MineAllMine can have at most the classi_cation C. When the application program running on behalf of Justin (and therefore with clearance S) tries to copy Grades into MineAllMine, it is not allowed to do so because class(MineAllMine) < class(application), and the *-Property is violated.