04/22/23 1

Computer SecurityConfidentiality Policies

04/22/23 2

Confidentiality PoliciesA confidentiality policy, or information flow policy prevents unauthorized disclosure of information.

04/22/23 3

The Bell-LaPadula model

Confidentiality, in its simplest

form, can be achieved by

using a set of security clearances, arranged, say

linearly (hierarchically).

Top secret (TS)

Personnel files

Alice, Bob

Secret (S) Electronic mail files

Sally, Cindy

Confidential (C)

Activity log files

Claire, David

Unclassified (UC)

Telephone list files

Joe Bloggs

04/22/23 4

The Bell-LaPadula modelLet L(S) = lS be the security clearance of subject S and

L(O) = lO be the security classification of object O. • Simple Security Property (ss- Property), Preliminary version : S can read O iff

• .lO ≤ lS (MAC) and • S has discretionary read access to O (DAC).

• *- Property (star Property), Preliminary version : S can write O iff

• .lS ≤ lO (MAC) and • S has discretionary write access to O (DAC).

04/22/23 5

Secure SystemsA system is secure if all its states satisfy the ss-property and the *-property.

Theorem. Basic Security Theorem, Preliminary version.

Let be a system with secure initial state 0, and let T be the set of its state transformations. If every element of T preserves the ss- and *-properties then is secure.

04/22/23 6

Extending the modelExtend the structure of the security clearances by using a lattice instead of a hierarchical (linear) structure.

This model uses categories.

• Objects are placed in multiple categories • Sets of category are added to each security classification.

Categories arise from the “need-to-know ” principle

04/22/23 7

An example of a lattice: the set of subsets of {a,b,c}

{a,b,c}

{a,b} {b,c}

{a,c}

{a} {b} {c}

04/22/23 8

A lattice for the categories NUC, EUR and US

{NUC, EUR, US}

{NUC, EUR} {EUR, US}

{NUC, US}

{NUC} {EUR} {US}

04/22/23 9

An example, continued• Let H = TS, S, SC, UC be a set of classifications with

hierarchical ordering .• Take a set of categories NUC, EUR, US• A compartment is a set of categories.• A security label is a pair (L,C), where L in H is the security level and C is a compartment.

04/22/23 10

An example, continued• The partial ordering is defined by: (L,C) dom (L,C ) if and only if L L and C C .

We say that (L,C) dominates (L,C).

Example: (S, NUC,EUR) dom (UC, NUC).

04/22/23 11

A sublattice of a partial ordering {TS; NUC,EUR, US}

. {S; NUC, EUR}

. {S; NUC, US} {S; EUR, US}

{UC;NUC} {UC;EUR} {UC; US}

(the full lattice has 48=32 nodes)

04/22/23 12

ExamplesSuppose • George is cleared into security level (S, NUC,EUR) • DocA is classified (UC, NUC) • DocB is classified (UC, EUR,US) • DocC is classified (S, EUR)

Then• George dom DocA, George dom DocC,• George dom DocB,

04/22/23 13

Bell-LaPadula (BLP) ModelBLP StructureCombines,• .access permission matrices for access control,• a security lattice, for security levels,• an automaton, for access operations.

Security policies are reduced to relations in the BLP structure.

04/22/23 14

BLP Model• A set of subjects S• A set of objects O• A set of access operations A = {execute,read,append,write}• A set L of security levels, with a partial ordering.

04/22/23 15

The Bell-LaPadula model (general case)

• Simple Security Condition (ss-Condition): S can read O iff

• S dom O (MAC) and • S has discretionary read access to O (DAC).

• *- Condition (star Condition), Preliminary version : S can write O iff

• O dom S (MAC) and • S has discretionary write access to O (DAC).

04/22/23 16

Secure SystemsTheorem. Basic Security TheoremLet be a system with secure initial state 0, and let T be the set of its state transformations. If every element of T preserves the ss and * conditions then is secure.

04/22/23 17

Formal model• S = set of subjects• O = set of objects • P = set of rights: r (read), a (write), w (read/write), e (empty) (= execute in BLP) • M = set of possible ACMs• L = CK lattice of security levels, where: C = set of clearances, K = set of categories• F = set of triples (fs, fo, fc,) where

– fs and fc, associate to each subject a maximum/current security level and

– fo associates with each object a security level.

04/22/23 18

Formal modelObjects may be organized as a set of hierarchies (trees and single node).Let H = h: OP (O) represent the set of hierarchy functions. For oi, oj, ok O we require that:

1. If oi,≠ oj, then h(oi)∩ h(oi) =

2. There is no set o1, o2,…,ok O such that for each i = 1,2,…, k, oi+1 h(oi and ok+1= o1

04/22/23 19

Formal modelA state v V of the system is a 4-tuple (b,m,f,h), where

• b = (s,o,p) P (SOP) indicates which subjects have access to which objects,

• m M is the ACM for the current state,• f is the triple indicating the current subject and object

clearances and categories,• h H is the hierarchy of objects for the current state.

04/22/23 20

Formal model• R denotes the set of requests.• D denotes the set of outcomes (decisions).• W = (r,d,v,v’) R D V V the set of actions of the system.

The history of a system as it executes. Let N be the set of +ve integers (representing time)• X = RN are sequences of requests x (a tuple)• Y = DN are sequences of decisions y (a tuple)• Z = VN are sequences of states z (a tuple)We interpret this as follows: at some point in time t N: • The system is in state vt-1

• A subject makes a request xi

• The system makes a decision yi

• The system transitions into a possibly new state zi

04/22/23 21

Formal modelA system is represented by an initial state and a sequence of requests, decisions and corresponding states. Formally:

R,D,W,z0 X Y Z , with z0 the initial state.

Furthermore,

(x,y,z) R,D,W,z0iff (xt, yt, zt , zt-1) Wfor all t N

04/22/23 22

An exampleSee textbook p.133

04/22/23 23

The Bell-LaPadula model ss-property:(s,o,p) SOP satisfies the ss-property relative

to the security level f iff one of the following holds: a. p = e or p = a b. p = r or p = w and fc(s) dom fo(o).

A system satisfies the ss-property if all its states satisfy it.

04/22/23 24

The Bell-LaPadula model ss-property:In other words, a subject can read an object or read and write to it, only if it dominates it.

04/22/23 25

The Bell-LaPadula model Define b(s: p1,…,pn) to be the set of objects that s has access to.

*-propety:A state satisfies the *-property iff for each sS the following hold:

a. b(s:a) ≠ [o b(s:a) [fo(o) dom fc(s)] ] (write-up)b. b(s:w) ≠ [o b(s:w) [fo(o) = fc(s)] ] (equality for read)c. b(s:r) ≠ [o b(s:r) [fc(s) dom fo(o)] ] (read-down)

04/22/23 26

The Bell-LaPadula model *-propety:In other words, a state satisfies the *-property if for each sS:

s can write to an object o only if the objects classification dominates the subjects clearance (write-up)s can also read o if its classification is the same as the clearance level (equality for read)

04/22/23 27

The Bell-LaPadula model ds-propertyA state v = (b,m,f,h) satisfies the discretionary security property (ds-property) iff: (s,o,p) b we have p m[s,o].

A system is secure if it satisfies the ss-property, the *-property and the ds-property.

04/22/23 28

The Bell-LaPadula model Basic Security TheoremR,D,W,z0is a secure system if it satisfies the ss-

property, the *-property and the ds-property.

04/22/23 29

Example model instantiationMultics

The Multics systemThere are five groups of rules1. A set of requests R1: to request & release access2. A set of requests R2 : to give access & remove access from a

different subject3. A set of requests R3 : to create and reclassify objects 4. A set of requests R4 : to remove objects5. A set of requests R5 : to change a subjects security level

04/22/23 30

TranquilityPrinciple of tranquilitySubjects and objects may not change their security levels once they have been instantiated.

Principle of strong tranquilityNo change during the lifetime of the system.

Principle of weak tranquilitySecurity levels do not change in a way that violates the rules of a given security policy. (for BLP: ss & *)

04/22/23 31

McLean’s system ZMc Lean reformulated the notion of a secure action and defined an alternative version of ss, * and dsRoughly,A system satisfies these properties if: given a state of that satisfies them, the action transforms the state into a possibly new state that also satisfies them and eliminates any accesses present in the transformed state of that would violate the initial state.

04/22/23 32

McLean’s system ZTheorem is secure if its initial state is secure and if each action satisfies the alternative versions of ss, * and ds.