Transcript Tranquility and BLP Dan Fleck CS 469: Security Engineering 1

Tranquility and BLP
Dan Fleck
CS 469: Security Engineering
1
These slides are modified with permission from Bill Young (Univ of Texas)
Changing Labels
Simple Security and the *-property constrain accesses to objects by
subjects according to the relationship between their labels. But what if
the labels are allowed to change?
Assume you could somehow change an object’s label from
(Top Secret: { Crypto })
To
(Unclassified: {})
independent of the object’s contents. This would clearly violate
confidentiality. Why?
John McLean of the Naval Research Lab pointed out that our rules so
far don’t prohibit this.
2
Tranquility Properties
We clearly need an additional rule that governs changing labels.
You might choose one of these:
The Strong Tranquility Property: Subjects and objects do not
change labels during the lifetime of the system.
The Weak Tranquility Property: Subjects and objects do not
change labels in a way that violates the “spirit” of the security
policy.
Are these useful? Are they overly restrictive? What if a user
needs to operate at different levels during the course of the
day?
3
Weak Tranquility
The Weak Tranquility Property: Subjects and objects do not change
labels in a way that violates the “spirit” of the security policy.
What does this mean?
• Suppose your system includes a command to lower the level of a
object in an unconstrained way. Does that violate the goals of simple
security or the *-property?
• Suppose your system includes a command to raise the level of a
object in an unconstrained way. Does that violate the goals of simple
security or the *-property?
• What about subjects? Can they change levels up or down?
4
Principle of Tranquility
• Raising object’s security level
• Information once available to some subjects is no longer
available
• Usually assume information has already been accessed, so
this does nothing
• Lowering object’s security level
• The declassification problem
• Essentially, a “write down” violating *-property
• Solution: define set of trusted subjects that sanitize or
remove sensitive information before security level lowered
5
Bell and LaPadula
The Simple Security Property, *-Property and Tranquility
Property formalize a large portion of multi-level security, which
is also sometimes called military security.
This formalization is due to D. Elliott Bell and Len LaPadula
(1973–75) and is called the Bell and LaPadula Model (BLP).
BLP did formal modeling to show security can be maintained if
you describe all system states (i.e. build a state machine).
Despite its age BLP is still a cornerstone of modern computer
security and is still very widely used as a policy.
6
Lessons
• The ability to change labels arbitrarily can subvert security, so
we need a tranquility property to deal with that threat.
• Simple Security, the *-Property, and Tranquility together form
the basis of the Bell and LaPadula (BLP) model of security.
• BLP is a widely used model of military security. However some
have questioned it:
• McLean: “value of the BLP is much overrated since there is a
great deal more to security than it captures. Further, what is
captured by the BLP is so trivial that it is hard to imagine a
realistic security model for which it does not hold.”
7