January 24, 2023 Outline

Reading: text, §5
Due: Homework #1, due January 24; Project Selection, due January 26

Bell-LaPadula Model: intuitive, security classifications only
1. Level, categories, define clearance and classification
2. Simple security condition (no reads up), *-property (no writes down), discretionary security property
3. Basic Security Theorem: if it is secure and transformations follow these rules, it will remain secure
Bell-LaPadula Model: intuitive, now add category sets
1. Apply lattice
  1. Set of classes SC is a partially ordered set under relation dom with glb (greatest lower bound), lub (least upper bound) operators
  2. Note: dom is reflexive, transitive, antisymmetric
  3. Example: (A, C) dom (A′, C′) iff A ≤ A′ and C ⊆ C′;
    lub((A, C), (A′, C′)) = (max(A, A′), C ∪ C′); and
    glb((A, C), A′, C′)) = (min(A, A′), C ∩ C′)
2. Simple security condition (no reads up), *-property (no writes down), discretionary security property
3. Basic Security Theorem: if it is secure and transformations follow these rules, it will remain secure
Maximum, current security level
Example: Trusted Solaris
Bell-LaPadula: formal model
1. Elements of system: s_i ∈ S subjects, o_i ∈ O objects
2. State space V = B × M × F × H where:
  B set of current accesses (i.e., access modes each subject has currently to each object);
  M access permission matrix;
  F consists of 3 functions: f_s is security level associated with each subject, f_o security level associated with each object, and f_c current security level for each subject;
  H hierarchy of system objects, functions h: O→P(O) with two properties:
  1. If o_i ≠ o_j, then h(o_i) ∩ h(o_i) = ∅
  2. There is no set { o₁, …, o_k } ⊆ O such that for each i, o_i+1 ∈ h(o_i) and o_k+1 = o₁
3. Set of requests is R
4. Set of decisions is D
5. W = R × D × V × V is motion from one state to another
6. System Σ(R, D, W, z₀) ⊆ X × Y × Z such that (x, y, z) ∈ Σ(R, D, W, z₀) iff (x_t, y_t, z_t, z_t−1) ∈ W for each t ∈ T; latter is an action of system
7. Theorem: Σ(R, D, W, z₀) satisfies the simple security condition for any initial state z₀ that satisfies the simple security condition iff W satisfies the following conditions for each action (r_i, d_i, (b′, m′, f′, h′), (b, m, f, h)):
  1. each (s, o, x) ∈ b′ − b satisfies the simple security condition relative to f′ (i.e., x is not read, or x is read and f_s(s) dom f_o(o)); and
  2. if (s, o, x) ∈ b does not satisfy the simple security condition relative to f′, then (s, o, x) ∉ b′
8. Theorem: Σ(R, D, W, z₀) satisfies the *-property relative to S′ ⊆ S for any initial state z₀ that satisfies the *-property relative to S′ iff W satisfies the following conditions for each (r_i, d_i, (b′, m′, f′, h′), (b, m, f, h)):
  1. for each s ∈ S′, any (s, o, x) ∈ b′ − b satisfies the *-property with respect to f′; and
  2. for each s ∈ S′, if (s, o, x) ∈ b does not satisfy the *-property with respect to f′, then (s, o, x) ∉ b′
9. Theorem: Σ(R, D, W, z₀) satisfies the ds-property iff the initial state z₀ satisfies the ds-property and W satisfies the following conditions for each (r_i, d_i, (b′, m′, f′, h′), (b, m, f, h)):
  1. if (s, o, x) ∈ b′ − b, then x ∈ m′[s, o]; and
  2. if (s, o, x) ∈ b and x ∈ m′[s, o], then (s, o, x) ∉ b′
10. Basic Security Theorem: A system Σ(R, D, W, z₀) is secure iff z₀ is a secure state and W satisfies the conditions of the above three theorems for each action.
Using the Bell-LaPadula model
1. Define ssc-preserving, *-property-preserving, ds-property-preserving
2. Define relation W(ω)
3. Show conditions under which rules are ssc-preserving, *-property-preserving, ds-property-preserving
4. Show when adding a state preserves those properties
5. Example instantiation: get-read for Multics
Tranquility
1. Strong tranquility
2. Weak tranquility
System Z and the controversy

Matt Bishop
Office: 2209 Watershed Sciences
Phone: +1 (530) 752-8060
Email: mabishop@ucdavis.edu

ECS 235B, Foundations of Computer and Information Security
Version of January 24, 2023 at 10:06AM

You can also obtain a PDF version of this.