Bell-LaPadula Model – read down/write up Security levels arranged in linear ordering

Top Secret: highest Secret Confidential Unclassified: lowest

Levels consist of security clearance L(s) Objects have security classification L(o)

security level subject object

Top Secret Tamara Personnel Files

Secret Samuel E-Mail Files

Confidential Claire Activity Logs

Unclassified Alice Telephone Lists

• Tamara can read all files• Claire cannot read Personnel or E-Mail Files• Alice can only read Telephone Lists

Reading Information

Information flows up, not down “Reads up” disallowed, “reads down”

allowed Simple Security Condition

Subject s can read object o iff, L(o) ≤ L(s) and s has permission to read o

• Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission)

Sometimes called “no reads up” rule

Writing Information

Information flows up, not down “Writes up” allowed, “writes down”

disallowed *-Property

Subject s can write object o iff L(s) ≤ L(o) and s has permission to write o

• Note: combines mandatory control (relationship of security levels) and discretionary control (the required permission)

Sometimes called “no writes down” rule

Basic Security Theorem

If a system is initially in a secure state, and every transition of the system satisfies the simple security condition, and the *-property, then every state of the system is secure Proof: induct on the number of transitions

Biba integrity model (confidentiality model) Bell-La Padula model (read-down/write-up)

Biba (read-up/write-down) – dual of BLP model Subject cannot corrupt data in a higher level Subject cannot be corrupted by data with a

lower level1. s S can read o O iff i(s) ≤ i(o)2. s S can write to o O iff i(o) ≤ i(s)3. s1 S can execute s2 S iff i(s2) ≤ i(s1) i is integrity level

Motivation: Hurricane Katrina 2005

The Coast Guard was one of the worst off enders: FEMA officials would later say the agency [Coast Guard] did almost nothing to keep other units up to speed on its activities [Garnett, Kouzmin 07]

Another of the tragedies of Katrina came when interorganizational networking failed to rise to the occasion. Federal agencies were too seldom on the same page -- even agencies within the same department,such as FEMA and the HSOC.

…, it also stemmed from differences in organizational culture and lack of trust that surfaced before Katrina had even formed.

Quantified risk adaptive access control The problem is about balancing risk vs. benefit

tradeoffs and existing access control policies Traditional models specify these tradeoffs statically

Goal: to be adaptive to the dynamic environments and the needs to which the policies are applied.

An organization continually optimizes access control based on risk vs. benefit tradeoffs Constraint: capping overall risk cannot be realized.

IBM paper: Fuzzy Multi–Level Security :An Experiment on Quantified Risk–Adaptive Access ControlPau–Chen Cheng et al. [IEEE Security&Privacy 07]

Intuition for fuzzy multi-level security Need to determining the probability of

unauthorized disclosure A precise determination is generally impossible since

that would require predicting future user behaviors.

For example, the probability should be very high when a person

without security clearance is given access to top secret information,

but relatively low if the access is given to a person with top secret clearance.

The model also asks the user to claim the perceived benefits of access Self-claimed benefit value Need to have an audit system

Probabilistic model in fuzzy MLS Probability of unauthorized disclosure P = P1 + P2 −

P1P2

The Fuzzy MLS model considers P1 to be the probability that a human subject (a user) leaks the information by succumbing to temptation and P2 to be the probability of inadvertent disclosure, regardless of a subject’s intention. The model estimates P1 and P2 but they are no longer

binary. Thus, the Fuzzy MLS model quantifies the risk that is the

concern of the simple security property of the Bell–LaPadula model; this property states that a subject can not read up and is

meant to prevent unauthorized disclosure of information to human subjects.

Integrity policy: motivation

In commercial environments, who examines and certifies that the transactions are performed correctly?

When a company receives an invoice, the purchasing office requires 2 steps: Someone must have requested a service, and

determined the account that would pay for the service

Someone must validate the invoice, the account must be debited, the check is written and signed

Need at least two different people perform the transactions Separation of duty

Clark-Wilson model

Aimed at commercial rather than military applications, and closely models real commercial operations.

Proposed a set of rules To form a two-part integrity assurance facility

Certification is done by a security officer with respect to an integrity policy

Enforcement is done by the system

Entities

constrained data items: CDI Data subject to integrity controls

unconstrained data items: UDI Data not subject to integrity controls

integrity verification procedures: TVP Procedures that test the constrained data items

conform to the integrity constraints transaction procedures: TP

Procedures that take the system from one valid state to another

[Source: Stalling & Brown]

Certification Rules 1 and 2CR1 When any integrity verification procedure is run, it

must ensure all constrained data items are in a valid state

CR2 For some associated set of constrained data items, a transaction procedure (TP) must transform those constrained data items in a valid state into a (possibly different) valid state

Defines relation certified that associates a set of constrained data items with a particular transaction procedure

Example: transaction procedure balance, constrained data items accounts, in bank example

However, the system should specify the scope of a TP’s power. That’s next.

Enforcement Rules and User rulesER1 only transaction procedures certified to run on a

constrained data item manipulate that constrained data item.

ER2 associate a user with each transaction procedure and set of constrained data items

ER3 The system must authenticate each user attempting to execute a transaction procedure

E.g., a user certified to do stock investment is not allowed to mess up bank balance

Separation of Duty In Model

ER4 Only the certifier of a transaction procedure may change the list of entities associated with that transaction procedure.

No certifier of a transaction procedure may ever have execute permission with respect to that entity. Enforces separation of duty with respect to

certified and allowed relations

CR3 The allowed relations must meet the requirements imposed by the principle of separation of duty.

Logging

CR4 All transaction procedures must append enough information to reconstruct the operation to an append-only constrained data item.

Handling Untrusted Input

CR5 Any TP that takes an unconstrained data item (UDI) as an input value must be certified to perform only valid transformations, or else no transformations, for any possible value of the UDI.

E.g., In bank, numbers entered at keyboard are unconstrained data items, so cannot be input to transaction procedures. transaction procedures must validate numbers

(to make them a constrained data item) before using them;

if validation fails, transaction procedure rejects unconstrained data item

If you claim you deposit $1million, the bank needs to validate that claim

Key Points

Confidentiality models restrict flow of information Bell-LaPadula models multilevel security

Cornerstone of much work in computer security

BLP model is generally believed to be very restrictive

Integrity policies deal with trust As trust is hard to quantify, these policies are hard to

evaluate completely Look for assumptions and trusted users to find possible

weak points in their implementation

Clark-Wilson focuses on separation of duty and transactions