Transcript Information Security

INFORMATION SECURITY:
CONFIDENTIALITY POLICIES
(CHAPTER 4)
Dr. Shahriar Bijani
Shahed University
SLIDES REFERENCES
Matt Bishop, Computer Security: Art and
Science, the author homepage, 2002-2004.
 Chris Clifton, CS 526: Information Security
course, Purdue university, 2010.

2
CHAPTER 5: CONFIDENTIALITY POLICIES
 Overview

What is a confidentiality model
 Bell-LaPadula



Model
General idea
Informal description of rules
Formal description of rules
 Tranquility
 Controversy


†-property
System Z
3
OVERVIEW

Bell-LaPadula
Informally
 Formally
 Example Instantiation

Tranquility
 Controversy


System Z
4
CONFIDENTIALITY POLICY

Goal: prevent the unauthorized disclosure of
information


Deals with information flow
Multi-level security models are best-known
examples

Bell-LaPadula Model basis for many, or most, of these
5
BACKGROUND
 Clearance

Top Secret


In-depth background check; highly trusted individual
Secret


levels
Routine background check; trusted individual
For Official Use Only/Sensitive
No background check, but limited distribution;
minimally trusted individuals
 May be exempt from disclosure


Unclassified
Unlimited distribution
 Untrusted individuals

6
BELL-LAPADULA MODEL (STEP 1)

Security levels arranged in linear ordering
Top Secret: highest
 Secret
 Confidential
 Unclassified: lowest


Levels consist of:
Subject has security clearance L(s) = ls
 Object has security classification L(o) = lo
 Clearance/Classification ordered:

l < li+1
 i

Mandatory access control
7
EXAMPLE
security level
subject
object
l4: Top Secret
Bill
Personnel Files
l3: Secret
Samuel
E-Mail Files
l2: Confidential Claire
Activity Logs
l1: Unclassified John
Telephone Lists
• Bill can read all files
• Claire cannot read Personnel or E-Mail Files
• John can only read Telephone Lists
READING INFORMATION

Information flows up, not down


“Reads up” disallowed, “reads down” allowed
Simple Security Condition (Step 1)

Subject s can read object o iff, L(o) ≤ L(s) and s
has permission to read o

Note: combines mandatory control (relationship of security
levels) and discretionary control (the required permission)

Sometimes called “no reads up” rule
9
WRITING INFORMATION

Information flows up, not down


“Writes up” allowed, “writes down” disallowed
*-Property (Step 1)

Subject s can write object o iff L(s) ≤ L(o) and s
has permission to write o

Note: combines mandatory control (relationship of security
levels) and discretionary control (the required permission)

Sometimes called “no writes down” rule
10
BASIC SECURITY THEOREM, STEP 1

If a system is initially in a secure state, and
every transition of the system satisfies the simple
security condition, step 1, and the *-property,
step 1, then every state of the system is secure

Proof: induct on the number of transitions
11
BASICS: PARTIALLY ORDERED SET

A Set S with relation  (written (S, ) is called a
partially ordered set if  is

Anti-symmetric


Reflexive


If a  b and b  a then a = b
For all a in S, a  a
Transitive

For all a, b, c. a  b and b  c implies a  c
12
BACKGROUND: POSET EXAMPLES

Natural numbers with less than (total order)

Sets under the subset relation (not a total order)

Natural numbers ordered by divisibility
13
BACKGROUND: LATTICE
 Partially

greatest lower bound (glb X)


ordered set (S, ) and two operations:
Greatest element less than all elements of set X
least upper bound (lub X)

Least element greater than all elements of set X
 Every
lattice has

bottom (glb L) a least element

top (lub L) a greatest element
14
BACKGROUND: LATTICE EXAMPLES

Natural numbers in an interval (0 .. n) with less than

Also the linear order of clearances
(U  FOUO  S  TS)

The powerset of a set of generators under inclusion

E.g. Powerset of security categories
{NUC, Crypto, ASI, EUR}

The divisors of a natural number under divisibility
15
BELL-LAPADULA MODEL (STEP 2)

Total order of classifications not flexible enough

Solution: Categories


S can access O if C(O)  C(S)
Combining with clearance:

(L,C) dominates (L’,C’) L’ = L and C’  C

Induces lattice instead of levels

Expand notion of security level to include categories

Security level is (clearance, category set)
16
BELL-LAPADULA MODEL (BLP)

Lattice Example1
{NUC, EUR}
{NUC}
{NUC, EUR, US}
{NUC, US}
{EUR}
{EUR, US}
{US}


Lattice Example2



( Top Secret, { NUC, EUR, ASI } )
( Confidential, { EUR, ASI } )
( Secret, { NUC, ASI } )
17
LEVELS AND LATTICES

dom (dominates) relation

(L, C) dom (L, C) iff L ≤ L and C  C

Examples


(Top Secret, {NUC, ASI}) dom (Secret, {NUC})

(Secret, {NUC, EUR}) dom (Confidential,{NUC, EUR})

(Top Secret, {NUC}) dom (Confidential, {EUR})
Let C be set of clearances, K set of categories. Set of
security levels L = C  K, dom form lattice

lub(L) = (max(L), C)

glb(L) = (min(L), )
18
LEVELS AND ORDERING

Security levels partially ordered

Any pair of security levels may (or may not) be
related by dom

“dominates” serves the role of “greater than” in
step 1

But “greater than” is a total ordering,
19
READING INFORMATION

Information flows up, not down


“Reads up” disallowed, “reads down” allowed
Simple Security Condition (Step 2)

Subject s can read object o iff L(s) dom L(o) and
s has permission to read o

Note: combines mandatory control (relationship of security
levels) and discretionary control (the required permission)

Sometimes called “no reads up” rule
20
WRITING INFORMATION

Information flows up, not down


“Writes up” allowed, “writes down” disallowed
*-Property (Step 2)

Subject s can write object o iff L(o) dom L(s) and
s has permission to write o

Note: combines mandatory control (relationship of security
levels) and discretionary control (the required permission)

Sometimes called “no writes down” rule
21
BASIC SECURITY THEOREM (STEP 2)

If a system is initially in a secure state, and
every transition of the system satisfies the simple
security condition (step 2) and the *-property
(step 2) then every state of the system is secure

Proof: induct on the number of transitions
22
EXAMPLE


George is cleared into security level (SECRET,{NUC, EUR}),
DocA is classified as ( CONFIDENTIAL, { NUC } ), DocB is classified
as ( SECRET, { EUR, US}), and DocC is classified as (SECRET, {
EUR }). Then:
George dom DocA as CONFIDENTIAL ≤ SECRET and
{ NUC }  { NUC, EUR }

George ¬dom DocB as { EUR, US }  { NUC, EUR }

George dom DocC as SECRET ≤ SECRET and { EUR }  { NUC, EUR }


George can read DocA and DocC but not DocB (assuming the
discretionary access controls allow such access).
Suppose Paul is cleared as (SECRET, { EUR, US, NUC }) and has
discretionary read access to DocB. Paul can read DocB; were he to
copy its contents to DocA and set its access permissions accordingly.
George could then read DocB!?

*-property (step 2) prevents this
23
PROBLEM

Colonel has (Secret, {NUC, EUR}) clearance

Major has (Secret, {EUR}) clearance


Major can talk to colonel (“write up” or “read down”)

Colonel cannot talk to major (“read up” or “write down”)
Not Desired!
24
SOLUTION

Define maximum, current levels for subjects


maxlevel(s) dom curlevel(s)
Example

Treat Major as an object (Colonel is writing to him)

Colonel has maxlevel (Secret, { NUC, EUR })

Colonel sets curlevel to (Secret, { EUR })

Now L(Major) dom curlevel(Colonel)

Colonel can write to Major without violating “no writes down”
25
SYSTEMS BUILT ON BELL-LAPADULA (BLP)

BLP was a simple model

Intent was that it could be enforced by simple
mechanisms

File system access control was the obvious choice

Multics (1965) implemented BLP

Unix inherited its discretionary AC from Multics
26