Saturday, January 11, 2014

Chapter 5: Confidentiality Policies

Overview

      Goals of Confidentiality Model

      Bell-LaPadula Model

      Goal: prevent the unauthorized disclosure of information

   Deals with information flow

   Integrity incidental

      Multi-level security models are best-known examples

   Bell-LaPadula Model basis for many, or most, of these

Bell-LaPadula Model, Step 1

      Security levels arranged in linear ordering

   Top Secret: highest

   Secret

   Confidential

   Unclassified: lowest

      Levels consist of security clearance L(s)

   Objects have security classification L(o)

Example

Reading Information

      Information flows up, not down

   “Reads up” disallowed, “reads down” allowed

      Simple Security Condition (Step 1)

   Subject s can read object o iff L(o) ¡Â L(s) and s has permission to read o

   Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission)

   Sometimes called “no reads up” rule

Writing Information

      Information flows up, not down

   “Writes up” allowed, “writes down” disallowed

      *-Property (Step 1)

   Subject s can write object o iff L(s) ¡Â L(o) and s has permission to write o

   Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission)

   Sometimes called “no writes down” rule

Basic Security Theorem, Step 1

      If a system is initially in a secure state, and every transition of the system satisfies the simple security condition, step 1, and the *-property, step 1, then every state of the system is secure

   Proof: induct on the number of transitions

Bell-LaPadula Model, Step 2

      Expand notion of security level to include categories

      Security level is (clearance, category set)

      Examples

   ( Top Secret, { NUC, EUR, ASI } )

   ( Confidential, { EUR, ASI } )

   ( Secret, { NUC, ASI } )

Levels and Lattices

      (A, C) dom (A¢, C¢) iff A¢ ¡Â A and C¢ Í C

      Examples

    (Top Secret, {NUC, ASI}) dom (Secret, {NUC})

    (Secret, {NUC, EUR}) dom (Confidential,{NUC, EUR})

    (Top Secret, {NUC}) Ødom (Confidential, {EUR})

      Let C be set of classifications, K set of categories. Set of security levels L = C ´ K, dom form lattice

    lub(L) = (max(A), C)

    glb(L) = (min(A), Æ)

Levels and Ordering

      Security levels partially ordered

   Any pair of security levels may (or may not) be related by dom

      “dominates” serves the role of “greater than” in step 1

   “greater than” is a total ordering, though

Reading Information

      Information flows up, not down

   “Reads up” disallowed, “reads down” allowed

      Simple Security Condition (Step 2)

   Subject s can read object o iff L(s) dom L(o) and s has permission to read o

   Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission)

   Sometimes called “no reads up” rule

Writing Information

      Information flows up, not down

   “Writes up” allowed, “writes down” disallowed

      *-Property (Step 2)

   Subject s can write object o iff L(o) dom L(s) and s has permission to write o

   Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission)


   Sometimes called “no writes down” rule

at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)