Professional Documents
Culture Documents
Lecture 21
CS426
Fall 2010/Lecture 21
Annoucements
O October t b 15: 15 G Guest t lecture l t by b P Prof. f Steve St Elliott Elli tt on biometrics October 22: Mid-term exam
CS426
Fall 2010/Lecture 21
Bell-LaPadula Model: A MAC Model for Achieving Multi Multi-level level Security
Introduce in 1973 Ai Air Force F was concerned d with ith security it i in ti timesharing systems
Many M OS bugs b Accidental misuse
Main Objective:
E Enable bl one t to f formally ll show h th that t a computer t system t can securely process classified information
CS426 Fall 2010/Lecture 21 3
A security policy
defines the security requirements for a given system
Verification shows that a policy is satisfied by a system y Model + Security y Policy y = Security y Model System
CS426
Fall 2010/Lecture 21
Example
Top Secret S Secret t Confidential Unclassified
In this case Top Secret > Secret > Confidential > Unclassified Security goal (confidentiality): ensures that information do not flow to those not cleared for that level
CS426 Fall 2010/Lecture 21 5
Approach pp of BLP
Use state-transition state transition systems to describe computer systems Define a system as secure iff. every reachable state satisfies 3 properties
simple-security property, *-property, discretionarysecurity property
Access Matrix
CS426 Fall 2010/Lecture 21 8
The Star Property (no write down): for any S that is not trusted
S can read O iff Lc(S) L(O) S can write O iff Lc(S) L(O)
Discretionary-security property
every access is allowed by the access matrix
STAR-PROPERTY
Applies to subjects (principals) not to users Users are trusted (must be trusted) not to di l disclose secret ti information f ti outside t id of f th the computer system Subjects are not trusted because they may have Trojan Horses embedded in the code they execute t Star-property prevents overt leakage of information and does not address the covert channel problem
Fall 2010/Lecture 21 10
CS426
The ss-property and the *-property are sufficient to stop such information flow at any given state. What about information flow across states?
CS426
Fall 2010/Lecture 21
11
Every state is secure, yet illegal information exists Solution: tranquility principle: subject cannot change current levels
CS426 Fall 2010/Lecture 21 12
CS426
Fall 2010/Lecture 21
13
CS426
Fall 2010/Lecture 21
14
CS426
Fall 2010/Lecture 21
15
CS426
Fall 2010/Lecture 21
16
CS426
Fall 2010/Lecture 21
17
CS426
Fall 2010/Lecture 21
18
Security y Categories g
Also Al k known as compartments t t Typical military security categories
army, navy, air force nato, nasa, noforn
CS426
Fall 2010/Lecture 21
19
Security y Labels
L Labels b l =L Levels l P (Categories) (C t i ) Define an ordering relationship among Labels
(e1, C1) (e2, C2) iff. e1 e2 and C1 C2
CS426
Fall 2010/Lecture 21
20
CS426
Fall 2010/Lecture 21
22
CS426
Fall 2010/Lecture 21
23
Coming g Attractions
T Trusted t d Operating O ti Systems S t and d Assurance
CS426
Fall 2010/Lecture 21
24