Scribe Notes for May 14, 1997

  1. Bell-LaPadula (BLP) access control
    1. Has two levels of access controls
    2. First, mandatory (a.k.a. rule-based access control). Enforced in such a way that a user can not get around it.
    3. Second, discretionary (a.k.a. identity-based access control). If owner of file says user can not access file, then user can not access file even though mandatory access okay.
  2. Formal model of BLP -- encouraged strong debate in security world
    1. Formulated using state-space approach:
      V = B x M x F
      B is the current accesses. M is the access control matrix. F is a set of three functions (fs = "max" security level of subject. fo = security level of objects. fc = current security of subject.)
      In addition to these, have:
      1. Set of requests R (e.g. can I read?)
      2. Set of decisions D (e.g. yes, you can read)
      3. Relation W subset of R x D x U x V
        U = initial state. V = new state
      4. System SIGMA( R,D,W,zo) subset of X x Y x Z such that (xi, yi, zi ) is a member of SIGMA(R,D,W,zo) if and only if there exists an integer t such that (xi,yi, zi) is a member of W for all i in some set of integers T.
    2. Given above formulation, BLP proved:
      • THEOREM: SIGMA(R,D,W,zo) satisfies simple security property (subjects can read down, objects can write or append up) if W meets the conditions for each (Ri, Dn, (b', M', f'), (t, Mt)). The two requirements are:
        1. (S,O,X) member of b' - b satisfies simple security property
        2. if (S,O,X) is member of b does not, then (S,O,X) is not a member of b'
        Replaces simple security property with star property also works.
      • THEOREM:SIGMA(R,D,W,zo) satisfies ds-property (honors discretionary security) if zo satisfies ds-property and W satisfies:
        1. if (Si,Oi,Xi) is a member of b' - b then X is a member of M'k, a new access control matrix
        2. if (Sk,O,X) is a member of b, X is not a member of M'k, then (Si,O,X) is not a member of b'
  3. McClean says BLP does not capture properties of security that was desired. LaPadula says McClean's criticism is not sound because McClean changed the definition of security in his criticism.
  • Now, move away from access control model to using model to ensure system integrity.
  • Biba wanted to enter trust into model. Ended up with a dual to BLP:
    1. Assume higher levels more trusted than lower ones.
    2. Can only read up
    3. Can only write down
    These two rules ensure objects with certain integrity level can not have less integrity as a result of read/write operations.
    Can security and integrity models coexists in same system? Yes, but only if they are compartemized.
  • Clark and Wilson model moved from realm of integrity levels to realm of security levels suitable for transaction systems. Two types of data:
    1. UDI -- unconstrained data item (e.g. schedule for rotating tires)
    2. CDI -- constrained data items (e.g. GRE scores)
    Also have:
    1. TP -- transaction procedures
    2. IVP -- initial verification procedfures (make sure start from state in which integrity policy is met)
    There are two types of rules in model:
    1. Certification rules
      1. C1 -- IVPs ensure CDIs are in a ``valid'' state, meaning CDIs matche integrity policy.
      2. C2 -- TP can only work on some type of CDIs (there's a notion of strict typing here). TP certified to work ocrrectly on those CDIs.
      3. C3 -- Lists in E2 (see below) must be certified to meet separation of duty requirements.
    2. Enforcement rules
      1. E1 -- System must maintain lists of (TP, (CDI1,..., CDIn)) and ensure only certified TPs work on appropriate CDIs.
      2. E2 -- System must maintain lists of User IDs and CDIs and TP that user can manipulate and ensure it works correctly: (UserID, TP, (CDI1,...,CDIm)), m less than or equal to n.