1 / 7

Tranquility and BLP

Tranquility and BLP. Dan Fleck CS 469: Security Engineering. 1. These slides are modified with permission from Bill Young ( Univ of Texas). Changing Labels.

nate
Download Presentation

Tranquility and BLP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Tranquility and BLP Dan Fleck CS 469: Security Engineering 1 These slides are modified with permission from Bill Young (Univ of Texas)

  2. Changing Labels Simple Security and the *-property constrain accesses to objects by subjects according to the relationship between their labels. But what if the labels are allowed to change? Assume you could somehow change an object’s label from (Top Secret: { Crypto }) To (Unclassified: {}) independent of the object’s contents. This would clearly violate confidentiality. Why? John McLean of the Naval Research Lab pointed out that our rules so far don’t prohibit this. 2

  3. Tranquility Properties We clearly need an additional rule that governs changing labels. You might choose one of these: The Strong Tranquility Property: Subjects and objects do not change labels during the lifetime of the system. The Weak Tranquility Property: Subjects and objects do not change labels in a way that violates the “spirit” of the security policy. Are these useful? Are they overly restrictive? What if a user needs to operate at different levels during the course of the day? 3

  4. Weak Tranquility The Weak Tranquility Property: Subjects and objects do not change labels in a way that violates the “spirit” of the security policy. What does this mean? • Suppose your system includes a command to lower the level of a object in an unconstrained way. Does that violate the goals of simple security or the *-property? • Suppose your system includes a command to raise the level of a object in an unconstrained way. Does that violate the goals of simple security or the *-property? • What about subjects? Can they change levels up or down? 4

  5. Principle of Tranquility • Raising object’s security level • Information once available to some subjects is no longer available • Usually assume information has already been accessed, so this does nothing • Lowering object’s security level • The declassification problem • Essentially, a “write down” violating *-property • Solution: define set of trusted subjects that sanitize or remove sensitive information before security level lowered 5

  6. Bell and LaPadula The Simple Security Property, *-Property and Tranquility Property formalize a large portion of multi-level security, which is also sometimes called military security. This formalization is due to D. Elliott Bell and Len LaPadula (1973–75) and is called the Bell and LaPadula Model (BLP). BLP did formal modeling to show security can be maintained if you describe all system states (i.e. build a state machine). Despite its age BLP is still a cornerstone of modern computer security and is still very widely used as a policy. 6

  7. Lessons • The ability to change labels arbitrarily can subvert security, so we need a tranquility property to deal with that threat. • Simple Security, the *-Property, and Tranquility together form the basis of the Bell and LaPadula (BLP) model of security. • BLP is a widely used model of military security. However some have questioned it: • McLean: “value of the BLP is much overrated since there is a great deal more to security than it captures. Further, what is captured by the BLP is so trivial that it is hard to imagine a realistic security model for which it does not hold.” 7

More Related