1 / 21

Access Control and the Bell- LaPadula Model

Access Control and the Bell- LaPadula Model. CS 4235. Historical Background. Physical Access Control No mixing of data (sensitive vs not) Hardwired terminal access No multiplexing of users and data

naoko
Download Presentation

Access Control and the Bell- LaPadula Model

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Access Control and the Bell-LaPadula Model CS 4235

  2. Historical Background • Physical Access Control • No mixing of data (sensitive vs not) • Hardwired terminal access • No multiplexing of users and data • What happens when all the data is stored in the same place and users with different trust levels are allowed to access? • Multi-level security problem

  3. Documents vs People • Documents have classifications • Top Secret • Secret • Confidential • Unclassified • Sensitive • Non sensitive • People have Clearances • Top Secret • Secret • Q

  4. There are also code words that are not classifications • ULTRA identified information encrypted with Enigma machines • Categories – now material is handled • Sensitive compartmented information (SCI) - Intelligence • Operations and methods • Nuclear secrets • Stealth • Special Access Programs (SAP) -- Defense • Acknowledged • Unacknowledged • Waived • Solves two logistical problems • Collateral clearances for everyone would be expensive • Need to limit information to those with need to know • SIGMA (Department of Energy) • SAP/SCI requires Secure Compartmented Information Facility (SCIF)

  5. Caveats and Other Codes • NOFORN • RESTRICTED • NO CONTRACTOR • REL TO <Country Code> • ORCON • FOUO • PROPIN • SECRET//<compartment name>//NOFORN//ORCON//25X1

  6. People are cleared to • Classification levels • Categories • Other Labels

  7. Discretionary Access Control • E.g., Unix permissions • Set access conditions on a file so that only a group of your choosing can read it • Anyone with access can propagate the information by resetting permissions

  8. Mandatory Access Control • Security authority sets permissions • Only security authority can propagate information • Violations are very serious

  9. Orderings • TS > S > C • How about • (S//NUC//NOFORN) vs TS? • (TS//EUR/25x1) vs (TS//CRYPTO//PROPIN)?

  10. Access Control Models (S,O,R)  YES/NO • Read (observe) • Write (observe, alter) • Execute (no observe, no alter) • Append (alter, no observe)

  11. Accesses take system from state to state All accesses must be allowed by MAC rules σ2 (T,b, append) σ3 (S,a, read) σ1 If you start in a secure state do you end up in a secure state?

  12. Granting Access Should Not Violate MAC High Level Object ? READ Flow of information Subject WRITE Object LowLevel

  13. Simple Security Property • The current level of a subject dominates the level of every object that it observes • Like paper systems • “No read up”

  14. *-Property • If S can observe a and alter b, then a ≤ b • “No write down”

  15. Partial Orders • S = {a1,a2,…,an} • P = (S, ≤) is a PO iff • If a ≤ b and b ≤ a, then a = b (anti-symmetric) • If a ≤ b and b ≤ c, then a ≤ c (transitive) • a ≤ a (reflexive) • Examples • Natural numbers under ≤ • Subsets under  • How about • Choices on a ballot under “is preferred to”? • People under “trusts”?

  16. Lattices • A POSET S • Every subset of S has a greatest lower bound • Every subset of S has a least upper bound x3 x4 x5 x1 x2 These are all upper bounds x LUB S Subset of S

  17. Security Levels • A security level is a pair (c,s) where • c is a classification from a POSET of classifications (e.g., U,S,TS but the exact classfications don’t matter) • s is a set of categories (e.g., NUC,CRYPTO,… but the exact categories don’t matter) • (c1,s1) ≥ (c2,s2) iffc1≥ c2 and s2s1 • Levels form a lattice

  18. Assigning Security Levels to Subjects and Objects • level(S), level(O) = security level of S,O • current-level(S) = levels at which S can operate • current-level(S) ≤ level(S) • level(S) = max(current-level(S)) is called S’s clearance

  19. Security Properties • SS-property: For any (S,O,A) if A includes observation then level(S) ≥ level(O) • *-property For any (S,O,A) r A implies current-level(S) ≥ level(O) aA implies current-level(S)≤level(O) w A implies current-level(S) = level(O) No read up No write down If a subject can observe O1 and modify O2 the level(O2)≥level(O1)

  20. Lattice Model Information only flows up the lattice System enforces SS and * properties

  21. A MAC Implementation • Unix file system • Label all files and directory with levels • Assign level(u) to each user u • u is initially assigned the lowest current-level • Allow current-level(u) to float as higher level files are observed • If level(u) ≥ current-level(u) issue kill(u) • If level(f) ≥ level(u) and u writes to f issue kill(u) • Is this secure? / /

More Related