Computer Security CS 426

Lecture 21

The Bell LaPadula Model

CS426

Fall 2010/Lecture 21

Annoucements
O October t b 15: 15 G Guest t lecture l t by b P Prof. f Steve St Elliott Elli tt on biometrics October 22: Mid-term exam

CS426

Fall 2010/Lecture 21

Bell-LaPadula Model: A MAC Model for Achieving Multi Multi-level level Security
Introduce in 1973 Ai Air Force F was concerned d with ith security it i in ti timesharing systems
Many M OS bugs b Accidental misuse

Main Objective:
E Enable bl one t to f formally ll show h th that t a computer t system t can securely process classified information
CS426 Fall 2010/Lecture 21 3

What is a Security y Model?

A model d ld describes ib th the system t
e.g., a high level specification or an abstract machine description of what hat the s system stem does

A security policy
defines the security requirements for a given system

Verification shows that a policy is satisfied by a system y Model + Security y Policy y = Security y Model System

CS426

Fall 2010/Lecture 21

Security y Goal of BLP

There are security classifications or security levels
Users/principals/subjects have security clearances Objects have security classifications

Example
Top Secret S Secret t Confidential Unclassified

In this case Top Secret > Secret > Confidential > Unclassified Security goal (confidentiality): ensures that information do not flow to those not cleared for that level
CS426 Fall 2010/Lecture 21 5

Approach pp of BLP
Use state-transition state transition systems to describe computer systems Define a system as secure iff. every reachable state satisfies 3 properties
simple-security property, *-property, discretionarysecurity property

Prove a Basic Security Theorem (BST)

so that one can prove a system is secure by proving g about the system y description p things
CS426 Fall 2010/Lecture 21 6

The BLP Security y Model

A computer t system t is i modeled d l d as a statet t transition system
There is a set of f subjects; some are designated as trusted. Each E h state t t has h objects, bj t an access matrix, t i and d th the current access information. There are state transition rules describing how a system can go from one state to another Each subject s has a maximal sec level Lm(s), (s) and a current sec level Lc(s) Each object has a classification level
CS426 Fall 2010/Lecture 21 7

Elements of the BLP Model

Security levels, e.g.: {TS, S, C, U} Lm: Max Sec Level Sec. Subjects Trusted Subjects Current Accesses Lc: Current Sec Level Sec. L: Class. Lev Lev. Objects

Access Matrix
CS426 Fall 2010/Lecture 21 8

The BLP Security y Model

A state t t is i secure if it satisfies ti fi
Simple Security Condition (no read up):
S can read O iff ff Lm(S) L(O) (O)

The Star Property (no write down): for any S that is not trusted
S can read O iff Lc(S) L(O) S can write O iff Lc(S) L(O)

Discretionary-security property
every access is allowed by the access matrix

A system is secure if and only if every reachable state is secure. secure

CS426 Fall 2010/Lecture 21 9

STAR-PROPERTY
Applies to subjects (principals) not to users Users are trusted (must be trusted) not to di l disclose secret ti information f ti outside t id of f th the computer system Subjects are not trusted because they may have Trojan Horses embedded in the code they execute t Star-property prevents overt leakage of information and does not address the covert channel problem
Fall 2010/Lecture 21 10

CS426

Is BLP Notion of Security y Good?

The Th objective bj ti of f BLP security it i is t to ensure
a subject cleared at a low level should never read information classified high

The ss-property and the *-property are sufficient to stop such information flow at any given state. What about information flow across states?

CS426

Fall 2010/Lecture 21

11

BLP Security y Is Not Sufficient!

Consider a system with s1,s s2,o o1,o o2
fS(s1)=fC(s1)=fO(o1)=high fS(s2)=fC(s2)=fO(o2) =low

And the following execution

s1 gets access to o1, read something, something release access access, then change current level to low, get write access to o2, write to o2

Every state is secure, yet illegal information exists Solution: tranquility principle: subject cannot change current levels
CS426 Fall 2010/Lecture 21 12

Main Contributions of BLP

The overall methodology to show that a system is secure
adopted in many later works

The state-transition model

which includes an access matrix matrix, subject security levels, object levels, etc.

The introduction of *-property property

ss-property is not enough to stop illegal information flow

CS426

Fall 2010/Lecture 21

13

Other Issues with BLP

Deal only with confidentiality confidentiality,
does not deal with integrity at all

Does not deal with information flow through covert channels

CS426

Fall 2010/Lecture 21

14

Overt (Explicit) Channels vs. Covert Channels

Security objective of MLS in general general, BLP in particular
high high-classified classified information cannot flow to low low-cleared cleared users

Overt channels of information flow

read/write an object

Covert channels of information flow

communication channel based on the use of system resources not normally y intended for communication between the subjects (processes) in the system

CS426

Fall 2010/Lecture 21

15

Examples p of Covert Channels

Using U i fil file l lock k as a shared h db boolean l variable i bl By varying its ratio of computing to input/output or its paging rate, the service can transmit information to a concurrently running process Covert channels are often noisy However, information theory and coding theory can be used to encode and decode information through noisy channels

CS426

Fall 2010/Lecture 21

16

More on Covert Channels

Covert channels cannot be blocked by * *-property property It is generally very difficult, if not impossible, to block all cover channels One can try to limit the bandwidth of covert channels Military requires cryptographic components be implemented in hardware
to avoid trojan horse leaking keys through covert channels

CS426

Fall 2010/Lecture 21

17

More on MLS: Security y Levels

Used U d as attributes tt ib t of fb both th subjects bj t & objects bj t
clearance & classification

Typical military security levels:

top secret secret confidential unclassified

Typical commercial security levels

restricted p proprietary p y sensitive p public

CS426

Fall 2010/Lecture 21

18

Security y Categories g
Also Al k known as compartments t t Typical military security categories
army, navy, air force nato, nasa, noforn

Typical commercial security categories

Sales, , R&D, , HR Dept A, Dept B, Dept C

CS426

Fall 2010/Lecture 21

19

Security y Labels
L Labels b l =L Levels l P (Categories) (C t i ) Define an ordering relationship among Labels
(e1, C1) (e2, C2) iff. e1 e2 and C1 C2

This ordering g relation is a p partial order

reflexive, transitive, anti-symmetric e.g., g,

All security labels form a lattice

CS426

Fall 2010/Lecture 21

20

An Example p Security y Lattice

levels={top l l {t secret, t secret} t} categories={army,navy}
Top Secret, {army, navy} Top Secret, {army} Top p Secret, , {} Top Secret, {navy} Secret, Sec e , {army} { y} Secret, , {}
CS426 Fall 2010/Lecture 21 21

Secret, {army, navy} Secret, , {navy} { y}

The need-to-know principle p p

E Even if someone h has all ll th the necessary official ffi i l approvals (such as a security clearance) to access certain t i i information f ti they th should h ld not tb be given access to such information unless they h have a need dt to k know: that th t is, i unless l access t to the specific information necessary for the conduct d t of f one's ' official ffi i l duties. d ti Can be implemented using categories and or DAC

CS426

Fall 2010/Lecture 21

22

Readings g for This Lecture

Wikipedia
Bell-LaPadula model David E. Bell: Looking Back at the Bell-La La Padula Model

CS426

Fall 2010/Lecture 21

23

Coming g Attractions
T Trusted t d Operating O ti Systems S t and d Assurance

CS426

Fall 2010/Lecture 21

24