Computer Security MT24, Bell-LaPadula model
Flashcards
What is the Bell-LaPadula model intuitively?
A formal model of security which aims to capture what it means for a system to be “confidential”. It’s a framework in which a real system can be tested to decide whether the system maintains the confidentiality of certain data.
Is the Bell-LaPadula model concerned primarily with confidentiality or integrity?
Confidentiality.
@Define the components of the Bell-LaPadula model, omitting the details of the properties a state must satisfy for it to be secure.
- (Normal components of any access control model: $\mathcal S$, $\mathcal O$, $\mathcal P$)
- A multi-level security policy
- Security levels $\mathcal L$, comparable with $\le$ (might just be a list like Unclassified, Confidential, Secret, Top Secret, or could be more like a partial order)
- $f _ S : \mathcal S \to \mathcal L$, assigns each subject their maximum security level
- $f _ C : \mathcal S \to \mathcal L$, assigns each subject their current security level
- (why distinguish between maximum and current? Think of this like only being given access on a need-to-know basis).
- $f _ O : \mathcal O \to \mathcal L$, assigns each object a security level called its classification
- 4 modes of permission:
- Read access
- Write access (implicitly includes the ability to observe what is being written to)
- Append access (allows blind writing, no reading)
- Execute access (permits neither read or write)
- State machine:
- The system is modelled as transitions through a set of states, starting from an initial state
- Transitions are operations like:
- Changing a user’s current or maximum security level
- Changing an object’s security level
- …
- States are secure if they satisfy three properties:
- ds-property, discretionary security property
- ss-property, simple security property, “no read up”
- $\star$-property, “no write-down”
The components of the Bell-LaPadula model are as follows:
- (Normal components of any access control model: $\mathcal S$, $\mathcal O$, $\mathcal P$)
- A multi-level security policy
- Security levels $\mathcal L$, comparable with $\le$ (might just be a list like Unclassified, Confidential, Secret, Top Secret, or could be more like a partial order)
- $f _ S : \mathcal S \to \mathcal L$, assigns each subject their maximum security level
- $f _ C : \mathcal S \to \mathcal L$, assigns each subject their current security level
- (why distinguish between maximum and current? Think of this like only being given access on a need-to-know basis).
- $f _ O : \mathcal O \to \mathcal L$, assigns each object a security level called its classification
- A set of currently granted permissions $\{\langle s, o, p\rangle, \ldots\}$
- A set of allowable permissions $A \subseteq \{\langle s, o, p \rangle, \ldots\}$.
- 4 modes of permission:
- Read access
- Write access (implicitly includes the ability to observe what is being written to)
- Append access (allows blind writing, no reading)
- Execute access (permits neither read or write)
- State machine:
- The system is modelled as transitions through a set of states, starting from an initial state
- Transitions are operations like:
- Changing a user’s current or maximum security level
- Changing an object’s security level
- …
In this context, @define what it means for a state to be secure, and then what it means for a system to be secure with respect to the Bell-LaPadula model.
- Security levels $\mathcal L$, comparable with $\le$ (might just be a list like Unclassified, Confidential, Secret, Top Secret, or could be more like a partial order)
- $f _ S : \mathcal S \to \mathcal L$, assigns each subject their maximum security level
- $f _ C : \mathcal S \to \mathcal L$, assigns each subject their current security level
- (why distinguish between maximum and current? Think of this like only being given access on a need-to-know basis).
- $f _ O : \mathcal O \to \mathcal L$, assigns each object a security level called its classification
- A set of currently granted permissions $\{\langle s, o, p\rangle, \ldots\}$
- A set of allowable permissions $A \subseteq \{\langle s, o, p \rangle, \ldots\}$.
- Read access
- Write access (implicitly includes the ability to observe what is being written to)
- Append access (allows blind writing, no reading)
- Execute access (permits neither read or write)
- The system is modelled as transitions through a set of states, starting from an initial state
- Transitions are operations like:
- Changing a user’s current or maximum security level
- Changing an object’s security level
- …
A state is secure if it satisfies the three BLP conditions:
- ds-property, discretionary security property
- ss-property, simple security property, “no read up”
- $\star$-property, “no write-down”
A system is secure if the initial state is secure and every implemented action preserves the condition.
The components of the Bell-LaPadula model are as follows:
- (Normal components of any access control model: $\mathcal S$, $\mathcal O$, $\mathcal P$)
- A multi-level security policy
- Security levels $\mathcal L$, comparable with $\le$ (might just be a list like Unclassified, Confidential, Secret, Top Secret, or could be more like a partial order)
- $f _ S : \mathcal S \to \mathcal L$, assigns each subject their maximum security level
- $f _ C : \mathcal S \to \mathcal L$, assigns each subject their current security level
- (why distinguish between maximum and current? Think of this like only being given access on a need-to-know basis).
- $f _ O : \mathcal O \to \mathcal L$, assigns each object a security level called its classification
- A set of currently granted permissions $\{\langle s, o, p\rangle, \ldots\}$
- A set of allowable permissions $\mathcal A \subseteq \{\langle s, o, p \rangle, \ldots\}$.
- 4 modes of permission:
- Read access
- Write access (implicitly includes the ability to observe what is being written to)
- Append access (allows blind writing, no reading)
- Execute access (permits neither read or write)
- State machine:
- The system is modelled as transitions through a set of states, starting from an initial state
- Transitions are operations like:
- Changing a user’s current or maximum security level
- Changing an object’s security level
- …
In this context, @define what it means for a state to satisfy the ds-property.
- Security levels $\mathcal L$, comparable with $\le$ (might just be a list like Unclassified, Confidential, Secret, Top Secret, or could be more like a partial order)
- $f _ S : \mathcal S \to \mathcal L$, assigns each subject their maximum security level
- $f _ C : \mathcal S \to \mathcal L$, assigns each subject their current security level
- (why distinguish between maximum and current? Think of this like only being given access on a need-to-know basis).
- $f _ O : \mathcal O \to \mathcal L$, assigns each object a security level called its classification
- A set of currently granted permissions $\{\langle s, o, p\rangle, \ldots\}$
- A set of allowable permissions $\mathcal A \subseteq \{\langle s, o, p \rangle, \ldots\}$.
- Read access
- Write access (implicitly includes the ability to observe what is being written to)
- Append access (allows blind writing, no reading)
- Execute access (permits neither read or write)
- The system is modelled as transitions through a set of states, starting from an initial state
- Transitions are operations like:
- Changing a user’s current or maximum security level
- Changing an object’s security level
- …
- The “discretionary security property”.
- A state satisfies the ds-property if, whenever access $\langle s, o, p \rangle$ has been granted, $\langle s, o, p\rangle \in \mathcal A$.
- This intuitively says that subjects are never granted access to objects they shouldn’t be granted access to.
- (Mnemonic: If you’ve been given a DS for Christmas, you should be allowed to have a DS)
The components of the Bell-LaPadula model are as follows:
- (Normal components of any access control model: $\mathcal S$, $\mathcal O$, $\mathcal P$)
- A multi-level security policy
- Security levels $\mathcal L$, comparable with $\le$ (might just be a list like Unclassified, Confidential, Secret, Top Secret, or could be more like a partial order)
- $f _ S : \mathcal S \to \mathcal L$, assigns each subject their maximum security level
- $f _ C : \mathcal S \to \mathcal L$, assigns each subject their current security level
- (why distinguish between maximum and current? Think of this like only being given access on a need-to-know basis).
- $f _ O : \mathcal O \to \mathcal L$, assigns each object a security level called its classification
- A set of currently granted permissions $\{\langle s, o, p\rangle, \ldots\}$
- A set of allowable permissions $A \subseteq \{\langle s, o, p \rangle, \ldots\}$.
- 4 modes of permission:
- Read access
- Write access (implicitly includes the ability to observe what is being written to)
- Append access (allows blind writing, no reading)
- Execute access (permits neither read or write)
- State machine:
- The system is modelled as transitions through a set of states, starting from an initial state
- Transitions are operations like:
- Changing a user’s current or maximum security level
- Changing an object’s security level
- …
In this context, @define what it means for a state to satisfy the ss-property.
- Security levels $\mathcal L$, comparable with $\le$ (might just be a list like Unclassified, Confidential, Secret, Top Secret, or could be more like a partial order)
- $f _ S : \mathcal S \to \mathcal L$, assigns each subject their maximum security level
- $f _ C : \mathcal S \to \mathcal L$, assigns each subject their current security level
- (why distinguish between maximum and current? Think of this like only being given access on a need-to-know basis).
- $f _ O : \mathcal O \to \mathcal L$, assigns each object a security level called its classification
- A set of currently granted permissions $\{\langle s, o, p\rangle, \ldots\}$
- A set of allowable permissions $A \subseteq \{\langle s, o, p \rangle, \ldots\}$.
- Read access
- Write access (implicitly includes the ability to observe what is being written to)
- Append access (allows blind writing, no reading)
- Execute access (permits neither read or write)
- The system is modelled as transitions through a set of states, starting from an initial state
- Transitions are operations like:
- Changing a user’s current or maximum security level
- Changing an object’s security level
- …
- The “simple security policy”, “no read-up”
- A state satisfies the ss-property, if whenever $\langle s, o, \mathbf{READ}\rangle$ or $\langle s, o, \mathbf{WRITE}\rangle$ has been granted, $f _ S(s) \ge f _ O(o)$.
- This intuitively says that subjects with low clearance can’t read or write objects with high clearance: the intern at MI5 can’t read top secret documents.
- The condition about $\mathbf{WRITE}$ is important since the ability to $\mathbf{WRITE}$ implicitly also assumes the ability to observe the object.
- (Mnemonic: It’s more like the ss-oo property, it means that $f _ {\pmb S}(\pmb s)$ should be greater than $f _ {\pmb O}(\pmb o)$).
The components of the Bell-LaPadula model are as follows:
- (Normal components of any access control model: $\mathcal S$, $\mathcal O$, $\mathcal P$)
- A multi-level security policy
- Security levels $\mathcal L$, comparable with $\le$ (might just be a list like Unclassified, Confidential, Secret, Top Secret, or could be more like a partial order)
- $f _ S : \mathcal S \to \mathcal L$, assigns each subject their maximum security level
- $f _ C : \mathcal S \to \mathcal L$, assigns each subject their current security level
- (why distinguish between maximum and current? Think of this like only being given access on a need-to-know basis).
- $f _ O : \mathcal O \to \mathcal L$, assigns each object a security level called its classification
- A set of currently granted permissions $\{\langle s, o, p\rangle, \ldots\}$
- A set of allowable permissions $A \subseteq \{\langle s, o, p \rangle, \ldots\}$.
- 4 modes of permission:
- Read access
- Write access (implicitly includes the ability to observe what is being written to)
- Append access (allows blind writing, no reading)
- Execute access (permits neither read or write)
- State machine:
- The system is modelled as transitions through a set of states, starting from an initial state
- Transitions are operations like:
- Changing a user’s current or maximum security level
- Changing an object’s security level
- …
In this context, @define what it means for a state to satisfy the $\star$-property.
- Security levels $\mathcal L$, comparable with $\le$ (might just be a list like Unclassified, Confidential, Secret, Top Secret, or could be more like a partial order)
- $f _ S : \mathcal S \to \mathcal L$, assigns each subject their maximum security level
- $f _ C : \mathcal S \to \mathcal L$, assigns each subject their current security level
- (why distinguish between maximum and current? Think of this like only being given access on a need-to-know basis).
- $f _ O : \mathcal O \to \mathcal L$, assigns each object a security level called its classification
- A set of currently granted permissions $\{\langle s, o, p\rangle, \ldots\}$
- A set of allowable permissions $A \subseteq \{\langle s, o, p \rangle, \ldots\}$.
- Read access
- Write access (implicitly includes the ability to observe what is being written to)
- Append access (allows blind writing, no reading)
- Execute access (permits neither read or write)
- The system is modelled as transitions through a set of states, starting from an initial state
- Transitions are operations like:
- Changing a user’s current or maximum security level
- Changing an object’s security level
- …
- “No write-down”
- A state satisfies the $\star$-property if:
- $f _ C(s) \le f _ O(o)$, whenever $\langle s, o, \mathbf{APPEND}\rangle$ or $\langle s, o, \mathbf{WRITE} \rangle$ has been granted, and
- $f _ O(o’) \le f _ O(o)$ for all objects $o’$ where $\langle s, o’, \mathbf{READ}\rangle$ or $\langle s, o’, \mathbf{WRITE}\rangle$ has been granted
- Intuitively:
- It’s easier to think of the contrapositive:
- The first part says if a subject has a high security level, they cannot modify objects of a lower classification. (The NSA chief cannot write in the newspaper).
- The second part says that you can only edit $o$ so long as you are not also reading (or writing, since reading is implicit in writing) objects of a higher classification. (If you’re reading the NSA chief’s diary, you also cannot write in the newspaper)
- These together means a subject can’t leak sensitive information by writing about high-security things in lower-security objects.
- Mnemonic: “CS is spooky, CS oooo’oo”.
The components of the Bell-LaPadula model are as follows:
- (Normal components of any access control model: $\mathcal S$, $\mathcal O$, $\mathcal P$)
- A multi-level security policy
- Security levels $\mathcal L$, comparable with $\le$ (might just be a list like Unclassified, Confidential, Secret, Top Secret, or could be more like a partial order)
- $f _ S : \mathcal S \to \mathcal L$, assigns each subject their maximum security level
- $f _ C : \mathcal S \to \mathcal L$, assigns each subject their current security level
- (why distinguish between maximum and current? Think of this like only being given access on a need-to-know basis).
- $f _ O : \mathcal O \to \mathcal L$, assigns each object a security level called its classification
- A set of currently granted permissions $\{\langle s, o, p\rangle, \ldots\}$
- A set of allowable permissions $A \subseteq \{\langle s, o, p \rangle, \ldots\}$.
- 4 modes of permission:
- Read access
- Write access (implicitly includes the ability to observe what is being written to)
- Append access (allows blind writing, no reading)
- Execute access (permits neither read or write)
- State machine:
- The system is modelled as transitions through a set of states, starting from an initial state
- Transitions are operations like:
- Changing a user’s current or maximum security level
- Changing an object’s security level
- …
In this context, a state satisfies the $\star$-property if:
- “No write-down”
- A state satisfies the $\star$-property if:
- $f _ C(s) \le f _ O(o)$, whenever $\langle s, o, \mathbf{APPEND}\rangle$ or $\langle s, o, \mathbf{WRITE} \rangle$ has been granted, and
- $f _ O(o’) \le f _ O(o)$ for all objects $o’$ where $\langle s, o’, \mathbf{READ}\rangle$ or $\langle s, o’, \mathbf{WRITE}\rangle$ has been granted
- Intuitively:
- The first part says that a subject can’t leak sensitive information by writing about it in documents with a lower classification
- The second part says you can only edit and create objects so long as you are not also reading or writing objects of a higher classification
What implicit assumption is this making which is not very realistic for humans?
- Security levels $\mathcal L$, comparable with $\le$ (might just be a list like Unclassified, Confidential, Secret, Top Secret, or could be more like a partial order)
- $f _ S : \mathcal S \to \mathcal L$, assigns each subject their maximum security level
- $f _ C : \mathcal S \to \mathcal L$, assigns each subject their current security level
- (why distinguish between maximum and current? Think of this like only being given access on a need-to-know basis).
- $f _ O : \mathcal O \to \mathcal L$, assigns each object a security level called its classification
- A set of currently granted permissions $\{\langle s, o, p\rangle, \ldots\}$
- A set of allowable permissions $A \subseteq \{\langle s, o, p \rangle, \ldots\}$.
- Read access
- Write access (implicitly includes the ability to observe what is being written to)
- Append access (allows blind writing, no reading)
- Execute access (permits neither read or write)
- The system is modelled as transitions through a set of states, starting from an initial state
- Transitions are operations like:
- Changing a user’s current or maximum security level
- Changing an object’s security level
- …
- $f _ C(s) \le f _ O(o)$, whenever $\langle s, o, \mathbf{APPEND}\rangle$ or $\langle s, o, \mathbf{WRITE} \rangle$ has been granted, and
- $f _ O(o’) \le f _ O(o)$ for all objects $o’$ where $\langle s, o’, \mathbf{READ}\rangle$ or $\langle s, o’, \mathbf{WRITE}\rangle$ has been granted
- The first part says that a subject can’t leak sensitive information by writing about it in documents with a lower classification
- The second part says you can only edit and create objects so long as you are not also reading or writing objects of a higher classification
Subjects must “forget” the contents of higher security objects they have had access to earlier.
Why is the Bell-LaPadula model not suitable to express availability properties of a system?
“Availability cannot be expressed simply in terms of authorisation to access services, it also needs to be considered in the light of whether the system is actually making the service available in a particular time period. That would require a richer security model that can also consider periods of time.”
@exam~