Scribe Notes for May 14, 1997
Now, move away from access control model to using model to ensure
Biba wanted to enter trust into model. Ended up with a dual to
- Bell-LaPadula (BLP) access control
- Has two levels of access controls
- First, mandatory (a.k.a. rule-based access control). Enforced
in such a way that a user can not get around it.
- Second, discretionary (a.k.a. identity-based access
control). If owner of file says user can not access file, then user
can not access file even though mandatory access okay.
- Formal model of BLP -- encouraged strong debate in security world
- Formulated using state-space approach:
V = B x M x F
B is the current accesses. M is the access control
matrix. F is a set of three functions (fs =
"max" security level of subject. fo = security
level of objects. fc = current security of subject.)
In addition to these, have:
- Set of requests R (e.g. can I read?)
- Set of decisions D (e.g. yes, you can read)
- Relation W subset of R x D x U x V
U = initial state. V = new state
- System SIGMA( R,D,W,zo)
subset of X x Y x Z such that (xi,
yi, zi ) is a member of
SIGMA(R,D,W,zo) if and
only if there exists an integer t such that
(xi,yi, zi) is a member of
W for all i in some set of integers T.
- Given above formulation, BLP proved:
- THEOREM: SIGMA(R,D,W,zo)
satisfies simple security property (subjects can read down, objects
can write or append up) if W meets the conditions for each
(Ri, Dn, (b',
(t, Mt)). The two requirements are:
Replaces simple security property with star property also works.
- (S,O,X) member of b' -
b satisfies simple security property
- if (S,O,X) is member of b does not,
then (S,O,X) is not a member of b'
satisfies ds-property (honors discretionary security) if
zo satisfies ds-property and W satisfies:
- if (Si,Oi,Xi)
is a member of b' - b then X is a
member of M'k, a new access control
- if (Sk,O,X) is a member of
b, X is not a member of M'k,
then (Si,O,X) is not a member of
- McClean says BLP does not capture properties of security that was
desired. LaPadula says McClean's criticism is not sound because
McClean changed the definition of security in his criticism.
These two rules ensure objects with certain integrity level can not
have less integrity as a result of read/write operations.
- Assume higher levels more trusted than lower ones.
- Can only read up
- Can only write down
Can security and integrity models coexists in same system? Yes,
but only if they are compartemized.
Clark and Wilson model moved from realm of integrity levels to
realm of security levels suitable for transaction systems. Two types
- UDI -- unconstrained data item (e.g. schedule for rotating
- CDI -- constrained data items (e.g. GRE scores)
There are two types of rules in model:
- TP -- transaction procedures
- IVP -- initial verification procedfures (make sure start from
state in which integrity policy is met)
- Certification rules
- C1 -- IVPs ensure CDIs are in a ``valid'' state, meaning CDIs
matche integrity policy.
- C2 -- TP can only work on some type of CDIs (there's a notion of
strict typing here). TP certified to work ocrrectly on those CDIs.
- C3 -- Lists in E2 (see below) must be certified to meet separation
of duty requirements.
- Enforcement rules
- E1 -- System must maintain lists of (TP, (CDI1,...,
CDIn)) and ensure only certified TPs work on appropriate
- E2 -- System must maintain lists of User IDs and CDIs and TP that user
can manipulate and ensure it works correctly: (UserID, TP,
(CDI1,...,CDIm)), m less than or equal to n.