Notes - Computer Security MT24, Bell-LaPadula model
Flashcards
What is the Bell-LaPadula model intuitively?
A formal model of security which aims to capture what it means for a system to be “confidential”. It’s a framework in which a real system can be tested to decide whether the system maintains the confidentiality of certain data.
Is the Bell-LaPadula model concerned primarily with confidentiality or integrity?
Confidentiality.
@Define the components of the Bell-LaPadula model, omitting the details of the properties a state must satisfy for it to be secure.
- (Normal components of any access control model: $\mathcal S$, $\mathcal O$, $\mathcal P$)
- A multi-level security policy
- Security levels $\mathcal L$, comparable with $\le$ (might just be a list like Unclassified, Confidential, Secret, Top Secret, or could be more like a partial order)
- $f _ S : \mathcal S \to \mathcal L$, assigns each subject their maximum security level / clearance
- $f _ C : \mathcal S \to \mathcal L$, assigns each subject their current security level
- (why distinguish between maximum and current? Think of this like only being given access on a need-to-know basis).
- $f _ O : \mathcal O \to \mathcal L$, assigns each object a security level called its classification
- 4 modes of permission:
- Read access
- Write access (implicitly includes the ability to observe what is being written to)
- Append access (allows blind writing, no reading)
- Execute access (permits neither read or write)
- State machine:
- The system is modelled as transitions through a set of states, starting from an initial state
- Transitions are operations like:
- Changing a user’s current or maximum security level
- Changing an object’s security level
- …
- States are secure if they satisfy three properties:
- ds-property, discretionary security property
- ss-property, simple security property, “no read up”
- $\star$-property, “no write-down”
The components of the Bell-LaPadula model are as follows:
- (Normal components of any access control model: $\mathcal S$, $\mathcal O$, $\mathcal P$)
- A multi-level security policy
- Security levels $\mathcal L$, comparable with $\le$ (might just be a list like Unclassified, Confidential, Secret, Top Secret, or could be more like a partial order)
- $f _ S : \mathcal S \to \mathcal L$, assigns each subject their maximum security level / clearance
- $f _ C : \mathcal S \to \mathcal L$, assigns each subject their current security level
- (why distinguish between maximum and current? Think of this like only being given access on a need-to-know basis).
- $f _ O : \mathcal O \to \mathcal L$, assigns each object a security level called its classification
- A set of currently granted permissions $\{\langle s, o, p\rangle, \ldots\}$
- A set of allowable permissions $A \subseteq \{\langle s, o, p \rangle, \ldots\}$.
- 4 modes of permission:
- Read access
- Write access (implicitly includes the ability to observe what is being written to)
- Append access (allows blind writing, no reading)
- Execute access (permits neither read or write)
- State machine:
- The system is modelled as transitions through a set of states, starting from an initial state
- Transitions are operations like:
- Changing a user’s current or maximum security level
- Changing an object’s security level
- …
In this context, @define what it means for a state to be secure, and then what it means for a system to be secure with respect to the Bell-LaPadula model.
- Security levels $\mathcal L$, comparable with $\le$ (might just be a list like Unclassified, Confidential, Secret, Top Secret, or could be more like a partial order)
- $f _ S : \mathcal S \to \mathcal L$, assigns each subject their maximum security level / clearance
- $f _ C : \mathcal S \to \mathcal L$, assigns each subject their current security level
- (why distinguish between maximum and current? Think of this like only being given access on a need-to-know basis).
- $f _ O : \mathcal O \to \mathcal L$, assigns each object a security level called its classification
- A set of currently granted permissions $\{\langle s, o, p\rangle, \ldots\}$
- A set of allowable permissions $A \subseteq \{\langle s, o, p \rangle, \ldots\}$.
- Read access
- Write access (implicitly includes the ability to observe what is being written to)
- Append access (allows blind writing, no reading)
- Execute access (permits neither read or write)
- The system is modelled as transitions through a set of states, starting from an initial state
- Transitions are operations like:
- Changing a user’s current or maximum security level
- Changing an object’s security level
- …
A state is secure if it satisfies the three BLP conditions:
- ds-property, discretionary security property
- ss-property, simple security property, “no read up”
- $\star$-property, “no write-down”
A system is secure if the initial state is secure and every implemented action preserves the condition.
The components of the Bell-LaPadula model are as follows:
- (Normal components of any access control model: $\mathcal S$, $\mathcal O$, $\mathcal P$)
- A multi-level security policy
- Security levels $\mathcal L$, comparable with $\le$ (might just be a list like Unclassified, Confidential, Secret, Top Secret, or could be more like a partial order)
- $f _ S : \mathcal S \to \mathcal L$, assigns each subject their maximum security level / clearance
- $f _ C : \mathcal S \to \mathcal L$, assigns each subject their current security level
- (why distinguish between maximum and current? Think of this like only being given access on a need-to-know basis).
- $f _ O : \mathcal O \to \mathcal L$, assigns each object a security level called its classification
- A set of currently granted permissions $\{\langle s, o, p\rangle, \ldots\}$
- A set of allowable permissions $\mathcal A \subseteq \{\langle s, o, p \rangle, \ldots\}$.
- 4 modes of permission:
- Read access
- Write access (implicitly includes the ability to observe what is being written to)
- Append access (allows blind writing, no reading)
- Execute access (permits neither read or write)
- State machine:
- The system is modelled as transitions through a set of states, starting from an initial state
- Transitions are operations like:
- Changing a user’s current or maximum security level
- Changing an object’s security level
- …
In this context, @define what it means for a state to satisfy the ds-property.
- Security levels $\mathcal L$, comparable with $\le$ (might just be a list like Unclassified, Confidential, Secret, Top Secret, or could be more like a partial order)
- $f _ S : \mathcal S \to \mathcal L$, assigns each subject their maximum security level / clearance
- $f _ C : \mathcal S \to \mathcal L$, assigns each subject their current security level
- (why distinguish between maximum and current? Think of this like only being given access on a need-to-know basis).
- $f _ O : \mathcal O \to \mathcal L$, assigns each object a security level called its classification
- A set of currently granted permissions $\{\langle s, o, p\rangle, \ldots\}$
- A set of allowable permissions $\mathcal A \subseteq \{\langle s, o, p \rangle, \ldots\}$.
- Read access
- Write access (implicitly includes the ability to observe what is being written to)
- Append access (allows blind writing, no reading)
- Execute access (permits neither read or write)
- The system is modelled as transitions through a set of states, starting from an initial state
- Transitions are operations like:
- Changing a user’s current or maximum security level
- Changing an object’s security level
- …
- The “discretionary security property”.
- A state satisfies the ds-property if, whenever access $\langle s, o, p \rangle$ has been granted, $\langle s, o, p\rangle \in \mathcal A$.
- This intuitively says that subjects are never granted access to objects they shouldn’t be granted access to.
- (Mnemonic: If you’ve been given a DS for Christmas, you should be allowed to have a DS)
The components of the Bell-LaPadula model are as follows:
- (Normal components of any access control model: $\mathcal S$, $\mathcal O$, $\mathcal P$)
- A multi-level security policy
- Security levels $\mathcal L$, comparable with $\le$ (might just be a list like Unclassified, Confidential, Secret, Top Secret, or could be more like a partial order)
- $f _ S : \mathcal S \to \mathcal L$, assigns each subject their maximum security level / clearance
- $f _ C : \mathcal S \to \mathcal L$, assigns each subject their current security level
- (why distinguish between maximum and current? Think of this like only being given access on a need-to-know basis).
- $f _ O : \mathcal O \to \mathcal L$, assigns each object a security level called its classification
- A set of currently granted permissions $\{\langle s, o, p\rangle, \ldots\}$
- A set of allowable permissions $A \subseteq \{\langle s, o, p \rangle, \ldots\}$.
- 4 modes of permission:
- Read access
- Write access (implicitly includes the ability to observe what is being written to)
- Append access (allows blind writing, no reading)
- Execute access (permits neither read or write)
- State machine:
- The system is modelled as transitions through a set of states, starting from an initial state
- Transitions are operations like:
- Changing a user’s current or maximum security level
- Changing an object’s security level
- …
In this context, @define what it means for a state to satisfy the ss-property.
- Security levels $\mathcal L$, comparable with $\le$ (might just be a list like Unclassified, Confidential, Secret, Top Secret, or could be more like a partial order)
- $f _ S : \mathcal S \to \mathcal L$, assigns each subject their maximum security level / clearance
- $f _ C : \mathcal S \to \mathcal L$, assigns each subject their current security level
- (why distinguish between maximum and current? Think of this like only being given access on a need-to-know basis).
- $f _ O : \mathcal O \to \mathcal L$, assigns each object a security level called its classification
- A set of currently granted permissions $\{\langle s, o, p\rangle, \ldots\}$
- A set of allowable permissions $A \subseteq \{\langle s, o, p \rangle, \ldots\}$.
- Read access
- Write access (implicitly includes the ability to observe what is being written to)
- Append access (allows blind writing, no reading)
- Execute access (permits neither read or write)
- The system is modelled as transitions through a set of states, starting from an initial state
- Transitions are operations like:
- Changing a user’s current or maximum security level
- Changing an object’s security level
- …
- The “simple security policy”, “no read-up”
- A state satisfies the ss-property, if whenever $\langle s, o, \mathbf{READ}\rangle$ or $\langle s, o, \mathbf{WRITE}\rangle$ has been granted, $f _ S(s) \ge f _ O(o)$.
- This intuitively says that subjects with low clearance can’t read or write objects with high clearance: the intern at MI5 can’t read top secret documents.
- The condition about $\mathbf{WRITE}$ is important since the ability to $\mathbf{WRITE}$ implicitly also assumes the ability to observe the object.
- (Mnemonic: It’s more like the ss-oo property, it means that $f _ {\pmb S}(\pmb s)$ should be greater than $f _ {\pmb O}(\pmb o)$).
The components of the Bell-LaPadula model are as follows:
- (Normal components of any access control model: $\mathcal S$, $\mathcal O$, $\mathcal P$)
- A multi-level security policy
- Security levels $\mathcal L$, comparable with $\le$ (might just be a list like Unclassified, Confidential, Secret, Top Secret, or could be more like a partial order)
- $f _ S : \mathcal S \to \mathcal L$, assigns each subject their maximum security level / clearance
- $f _ C : \mathcal S \to \mathcal L$, assigns each subject their current security level
- (why distinguish between maximum and current? Think of this like only being given access on a need-to-know basis).
- $f _ O : \mathcal O \to \mathcal L$, assigns each object a security level called its classification
- A set of currently granted permissions $\{\langle s, o, p\rangle, \ldots\}$
- A set of allowable permissions $A \subseteq \{\langle s, o, p \rangle, \ldots\}$.
- 4 modes of permission:
- Read access
- Write access (implicitly includes the ability to observe what is being written to)
- Append access (allows blind writing, no reading)
- Execute access (permits neither read or write)
- State machine:
- The system is modelled as transitions through a set of states, starting from an initial state
- Transitions are operations like:
- Changing a user’s current or maximum security level
- Changing an object’s security level
- …
In this context, @define what it means for a state to satisfy the $\star$-property.
- Security levels $\mathcal L$, comparable with $\le$ (might just be a list like Unclassified, Confidential, Secret, Top Secret, or could be more like a partial order)
- $f _ S : \mathcal S \to \mathcal L$, assigns each subject their maximum security level / clearance
- $f _ C : \mathcal S \to \mathcal L$, assigns each subject their current security level
- (why distinguish between maximum and current? Think of this like only being given access on a need-to-know basis).
- $f _ O : \mathcal O \to \mathcal L$, assigns each object a security level called its classification
- A set of currently granted permissions $\{\langle s, o, p\rangle, \ldots\}$
- A set of allowable permissions $A \subseteq \{\langle s, o, p \rangle, \ldots\}$.
- Read access
- Write access (implicitly includes the ability to observe what is being written to)
- Append access (allows blind writing, no reading)
- Execute access (permits neither read or write)
- The system is modelled as transitions through a set of states, starting from an initial state
- Transitions are operations like:
- Changing a user’s current or maximum security level
- Changing an object’s security level
- …
- “No write-down”
- A state satisfies the $\star$-property if, whenever $\langle s, o, \mathbf{APPEND}\rangle$ or $\langle s, o, \mathbf{WRITE} \rangle$ has been granted:
- $f _ C(s) \le f _ O(o)$, and
- $f _ O(o’) \le f _ O(o)$ for all objects $o’$ where $\langle s, o’, \mathbf{READ}\rangle$ or $\langle s, o’, \mathbf{WRITE}\rangle$ has been granted
- Intuitively:
- It’s easier to think of the contrapositive:
- The first part says if a subject has a high security level, they cannot modify objects of a lower classification. (The NSA chief cannot write in the newspaper).
- The second part says that you can only edit $o$ so long as you are not also reading (or writing, since reading is implicit in writing) objects of a higher classification. (If you’re reading the NSA chief’s diary, you also cannot write in the newspaper)
- These together means a subject can’t leak sensitive information by writing about high-security things in lower-security objects.
- Mnemonic: “CS is spooky, CS oooo’oo”.
The components of the Bell-LaPadula model are as follows:
- (Normal components of any access control model: $\mathcal S$, $\mathcal O$, $\mathcal P$)
- A multi-level security policy
- Security levels $\mathcal L$, comparable with $\le$ (might just be a list like Unclassified, Confidential, Secret, Top Secret, or could be more like a partial order)
- $f _ S : \mathcal S \to \mathcal L$, assigns each subject their maximum security level / clearance
- $f _ C : \mathcal S \to \mathcal L$, assigns each subject their current security level
- (why distinguish between maximum and current? Think of this like only being given access on a need-to-know basis).
- $f _ O : \mathcal O \to \mathcal L$, assigns each object a security level called its classification
- A set of currently granted permissions $\{\langle s, o, p\rangle, \ldots\}$
- A set of allowable permissions $A \subseteq \{\langle s, o, p \rangle, \ldots\}$.
- 4 modes of permission:
- Read access
- Write access (implicitly includes the ability to observe what is being written to)
- Append access (allows blind writing, no reading)
- Execute access (permits neither read or write)
- State machine:
- The system is modelled as transitions through a set of states, starting from an initial state
- Transitions are operations like:
- Changing a user’s current or maximum security level
- Changing an object’s security level
- …
In this context, a state satisfies the $\star$-property if:
- “No write-down”
- A state satisfies the $\star$-property if, whenever $\langle s, o, \mathbf{APPEND}\rangle$ or $\langle s, o, \mathbf{WRITE} \rangle$ has been granted:
- $f _ C(s) \le f _ O(o)$, and
- $f _ O(o’) \le f _ O(o)$ for all objects $o’$ where $\langle s, o’, \mathbf{READ}\rangle$ or $\langle s, o’, \mathbf{WRITE}\rangle$ has been granted
- Intuitively:
- The first part says that a subject can’t leak sensitive information by writing about it in documents with a lower classification
- The second part says you can only edit and create objects so long as you are not also reading or writing objects of a higher classification
What implicit assumption is this making which is not very realistic for humans?
- Security levels $\mathcal L$, comparable with $\le$ (might just be a list like Unclassified, Confidential, Secret, Top Secret, or could be more like a partial order)
- $f _ S : \mathcal S \to \mathcal L$, assigns each subject their maximum security level / clearance
- $f _ C : \mathcal S \to \mathcal L$, assigns each subject their current security level
- (why distinguish between maximum and current? Think of this like only being given access on a need-to-know basis).
- $f _ O : \mathcal O \to \mathcal L$, assigns each object a security level called its classification
- A set of currently granted permissions $\{\langle s, o, p\rangle, \ldots\}$
- A set of allowable permissions $A \subseteq \{\langle s, o, p \rangle, \ldots\}$.
- Read access
- Write access (implicitly includes the ability to observe what is being written to)
- Append access (allows blind writing, no reading)
- Execute access (permits neither read or write)
- The system is modelled as transitions through a set of states, starting from an initial state
- Transitions are operations like:
- Changing a user’s current or maximum security level
- Changing an object’s security level
- …
- $f _ C(s) \le f _ O(o)$, and
- $f _ O(o’) \le f _ O(o)$ for all objects $o’$ where $\langle s, o’, \mathbf{READ}\rangle$ or $\langle s, o’, \mathbf{WRITE}\rangle$ has been granted
- The first part says that a subject can’t leak sensitive information by writing about it in documents with a lower classification
- The second part says you can only edit and create objects so long as you are not also reading or writing objects of a higher classification
Subjects must “forget” the contents of higher security objects they have had access to earlier.