Address 4: Bell LaPadula

Lecture 4 bell lapadula l.jpg
1 / 38
1059 days ago, 325 views
PowerPoint PPT Presentation

Presentation Transcript

Slide 1

CS 591: Introduction to Computer Security Lecture 4: Bell LaPadula James Hook

Slide 2

Objectives Introduce the Bell LaPadula system for privacy strategy Discuss acknowledge of Bell LaPadula

Slide 3

References: Bell review Bishop Chapter 5 Anderson

Slide 4

Background Clearance levels Top Secret top to bottom historical verification; exceptionally trusted individual Secret Routine personal investigation; trusted individual For Official Use Only/Sensitive No record verification, yet restricted dispersion; insignificantly trusted people May be absolved from revelation Unclassified Unlimited circulation Untrusted people

Slide 5

Background Clearance levels are just a large portion of the story They give a level of trust of the subject The "need to know" arrangement gives an orthogonal structure called compartmentalization A classification (or compartment) is an assignment identified with the "need to know" approach Examples: NUC: Nuclear EUR: Europe ASI: Asia

Slide 6

Categories and Coalitions Categories can be basic in complex coalitions The US may have two partners that don't wish to share data (maybe Israel and Saudi Arabia) Policy must support: Top Secret, Israel Top Secret, Saudi Arabia Top Secret, Israel and Saudi Arabia (likely not very many individuals in this set)

Slide 7

Classification Systems Both thoughts of characterization prompt an incomplete request TS is more assumed that S You can just observe data in the event that you are cleared to get to all classifications that name it Mathematicians Bell and LaPadula picked a cross section structure as a characteristic model for security levels

Slide 8

Partially Ordered Set A Set S with connection  (composed (S, ) is known as a mostly requested set if  is Anti-symmetric If a  b and b  a then a = b Reflexive For every one of the an in S, a  a Transitive For each of the a, b, c. a  b and b  c suggests a  c

Slide 9

Poset cases Natural numbers with not as much as (aggregate request) Sets under the subset connection (not an aggregate request) Natural numbers requested by detachability

Slide 10

Lattice Partially requested set (S,  ) and two operations: most prominent lower bound (glb X) Greatest component not as much as all components of set X minimum upper bound (lub X) Least component more prominent than all components of set X Every cross section has base (glb L) a slightest component best (lub L) a biggest component

Slide 11

Lattice cases Natural numbers in an interim (0 .. n) with not exactly Also the straight request of clearances (U  FOUO  S  TS) The powerset of an arrangement of generators under incorporation E.g. Powerset of security classifications {NUC, Crypto, ASI, EUR} The divisors of a characteristic number under detachability

Slide 12

New cross sections from old The inverse of a grid is a cross section The result of two cross sections is a cross section The grid of security groupings utilized by Bishop is the result of the grid of clearances and the cross section of sets created from the classes (compartments)

Slide 13

Mandatory Access Control In a MAC framework all records are doled out marks by an arrangement of tenets Documents must be relabeled under characterized uncommon conditions Violations of the strategy are viewed as intense offenses (criminal or treasonous acts)

Slide 14

Bell LaPadula Context Pre-Anderson report approach was not to blend information of various characterizations on a solitary framework Still a smart thought on the off chance that it addresses your issues Anderson report recognized "on-line multi-level secure operation" as an objective of PC security

Slide 15

From Paper to Computers How to apply MAC to PCs? Records are closely resembling objects in Lampson's Access Control display Every question can be named with a grouping Cleared work force are practically equivalent to subjects Every subject can be marked with a leeway What about procedures?

Slide 16

Note on subject names A man is by and large cleared "up to" a level Cross level correspondence requires that a man have the capacity to collaborate beneath their level of freedom Subjects are given two marks: The most extreme level The present level Current never surpasses greatest We will concentrate on static labelings A subject won't progressively change their present level

Slide 17

Bell LaPadula Task was to propose a hypothesis of multi-level security upheld by a component actualized in an Anderson-style reference screen avoids undesirable data stream

Slide 18

BLP display Adapt Lampson ACM Characterize framework as state machine Characterize key activities, for example, document framework connection, as moves Classify activities as perception (peruses) modification (composes) [Aside: How to order execute?] Show that lone "safe states" are reachable

Slide 19

Simple Security The straightforward security property The present level of a subject rules the level of each protest that it watches This property firmly similar to paper frameworks It is alluded to by the motto "no read up"

Slide 20

Problem Figure from Bell 2005

Slide 21

Problem Simple Security does not represent adjustments (composes) Another property is expected to describe modifications

Slide 22

* - Property Figure from Bell 2005

Slide 23

*-Property In any state, if a subject has synchronous "watch" access to question 1 and "modify" access to protest 2, then level (protest 1) is ruled by level (protest 2). From BLP 1976, Unified Exposition Slogan: "No record"

Slide 24

Discretionary notwithstanding the MAC instruments of the straightforward security and *-properties, the BLP show likewise has an optional segment All gets to must be permitted by both the MAC and optional tenets

Slide 25

BLP Basic Security Theorem If all moves (consdiered separately) fulfill basic security property * - property optional security property Then framework security is protected inductively (that is, all states came to from a "safe" state are "secure")

Slide 26

Bell Retrospective Note: This presentation and Bishop to a great extent take after "brought together work" How did the *-property develop? Where did current security level originate from?

Slide 27

Bell Discussion What was the inspiring case of a "trusted subject" Explain the idea How should the BLP model be adjusted? Ringer's paper changes mode in Section 5 moves from depiction of BLP to reflections on effect Will come back to these subjects occasionally

Slide 28

Systems Built on BLP was a straightforward model Intent was that it could be authorized by basic instruments File framework get to control was the undeniable decision Multics actualized BLP Unix acquired its optional AC from Multics

Slide 29

BLP in real life Bishop portrays Data General B2 UNIX framework in detail Treatment addresses: Explicit and verifiable marking (connected to removable media) Multilevel registry administration Consider difficulties of a multilevel/tmp with conventional UNIX accumulation devices MAC Regions (interims of levels)

Slide 30

MAC Regions IMPL_HI is "most extreme" (slightest upper bound) of all levels IMPL_LO is "least" (most prominent lower bound) of all levels Slide from Bishop "05.ppt"

Slide 31

Discussion When might you apply a model this prohibitive?

Slide 32

Further Reading Ross Anderson's Security Engineering , Chapter 7: Multilevel security Standard Criticisms Alternative definitions Several more cases

Slide 33

Criticisms of Bell LaPadula BLP is direct, underpins formal investigation Is it enough? McLean composed a basic paper stating BLP tenets were inadequate

Slide 34

McLean's System Z Proposed System Z = BLP + (ask for downsize) User L gets record H by first asking for that H be minimized to L and afterward doing a lawful BLP read Proposed settle: quietness Strong: Labels never show signs of change amid operation Weak: Labels never show signs of change in a way that would abuse a characterized strategy

Slide 35

Alternatives Goguen & Meseguer, 1982: Noninterference Model calculation as occasion frameworks Interleaved or simultaneous calculation can create interleaved follows High activities have no impact on low activities The hint of a "low follow" of a framework is the same for every single "high process" that are added to the blend Problem: Needs deterministic follows; does not scale to circulated frameworks

Slide 36

Nondeducibility Sutherland, 1986. Low can not conclude anything about high with 100% sureness Historically imperative, pitifully powerless Addressed issue of nondeterminism in conveyed frameworks

Slide 37

Intranstitive non-obstruction Rushby, 1992 Updates Goguen & Meseguer to manage the truth that some correspondence might be approved (e.g. High can interefere with low in the event that it is intervened by crypto)

Slide 38

Looking forward Chapter 6: Integrity Policies