Week 3 – Part 2
Deakin University CRICOS Provider Code: 00113B
SIT182 – Real World Practices For Cyber Security
Trimester 2 – 2021
Deakin College
Week 3 – Part 2
Deakin University CRICOS Provider Code: 00113B
• Confidentiality Policies
• Integrity Policies
• Hybrid Policies
Topics,
2
Deakin University CRICOS Provider Code: 00113B
Reminder: Security Policy (Week 1)
• A high level description of the Principals (subjects), Assets (objects) and Security Properties
that must hold in the system.
• It defines what it means to be ”Secure” for a system/organization/user.
• It includes a set of requirements and a set of rules to obey.
Microsoft Windows 10 has a Local Security Policy
Deakin University CRICOS Provider Code: 00113B
Confidentiality Policies
Example: the navy must keep confidential the date on which a troop ship will sail. If the
enemy knows the date of sailing, the ship could be sunk ☺!
Confidentiality Policies (aka Information flow policies) aim to prevent unauthorized
disclosure of information, and unauthorized alternation of information.
Deakin University CRICOS Provider Code: 00113B
The Bell-LaPadula Model (BLP) – “Need to Know”
• As mentioned in Week 3 – Part 1, the most common form of Mandatory Access Control
(MAC) is Multi-level Security.
• Based on classification of subjects AND objects.
• Originated in World War II the classifications used are Top-Secret, Secret, Confidential
(For Official Use Only, or Sensitive), Unclassified.
• Bell-LaPadula was developed based on a research supported by the US Army.
• The goal of the research work in 1973 was to be able to formally show that a given
computer system can securely process classified information.
Deakin University CRICOS Provider Code: 00113B
The Bell-LaPadula Model (BLP): Question
• How would you ensure
confidentiality is kept when users
are accessing files at the different
levels?
• Would you allow A to READ
information from B?
• Would you allow B to WRITE
information to A?
Levels={Top Secret, Secret}
Categories={army, nuclear}
A
B
Deakin University CRICOS Provider Code: 00113B
The Bell-LaPadula Model – BLP (simplified)
To ensure confidentiality (lot of math behind it ☺),
• NO READ UP (or, READ DOWN ONLY): cannot read a file at a higher-level.
• No WRITE DOWN (OR, WRITE UP ONLY): a process with a confidential clearance cannot
write a non-classified file since it may contain confidential information.
Limitations of BLP Model:
• It only covers READ and WRITE (not EXECUTE)
• Too STRICT, a user at a higher-level cannot even send commands to a lower level 😐 !!
• (how to send orders?!)
Deakin University CRICOS Provider Code: 00113B
The Bell-LaPadula Model (BLP)
Solutions for limitations:
• Temporal downgrade of a subject: people cannot at the same time access the more sensitive
files and send messages to lower levels – works as long as people themselves are trusted.
• Identify a set of trusted subjects: certain trusted subjects allowed to publish or diffuse parts of
a secret document.
Deakin University CRICOS Provider Code: 00113B
The Bell-LaPadula Model (BLP) – Tranquillity
What if a subject was to change level in a live system ? How could you protect in that case?
(e.g. Trojan Horse Attack)
Solution:
“Tranquility”: The classification of a subject or object does not change while it is being referenced.
Deakin University CRICOS Provider Code: 00113B
The Bell-LaPadula Model (BLP) – Covert Channels
Example: Low level subject requests a resource used by high-level subjects. Access is poor or
refused (can be a file lock). He deduces at which moment of the day his boss is not in office…
The BLP model protects very well against overt (legitimate) channels. Covert channels are hard to
prevent.
Deakin University CRICOS Provider Code: 00113B
Integrity Policies
Integrity policies focus on integrity rather than confidentiality – because most commercial
firms are more concerned with accuracy than disclosure
A higher integrity level means more confidence that
• A program will be executed correctly
• Data is accurate, reliable and not contaminated.
(nothing about its secrecy is postulated, just integrity)
Deakin University CRICOS Provider Code: 00113B
Biba Model – “Right to Act Upon”
Exact Dual of BLP:
NO READ DOWN (or, READ UP ONLY): prevents the integrity of a trusted subject from being
contaminated by a less trusted data object.
No WRITE UP (OR, WRITE DOWN ONLY): restricts the contamination of data at a higher level, since
a subject is only allowed to modify data at their level or at a lower level.
Limitations of BLP Model:
• Too STRICT, consider a USB stick and a PC.
• PC cannot read from USB
• No support for confidentiality,
• No support for revocation of right
Deakin University CRICOS Provider Code: 00113B
Biba Model – “Right to Act Upon”
• Variations of Biba have been proposed to address some of the limitations
• Biba is fully implemented on FreeBSD (since FreeBSD 5.0)
• It is possible to combine BLP and Biba => Hybrid Policies
Deakin University CRICOS Provider Code: 00113B
The Ethical Wall Policy
• Let’s consider a policy for a very specific commercial concern: the potential for conflicts of
interest and inadvertent disclosure of information by a consultant or contractor.
Example: A lawyer specializes in product liability and consults for Qantas Airlines. It could be a
breach of confidentiality for her to consult also for Virgin Australia Airlines. Why? A simultaneous
contract with McDonalds would not be a conflict.
• Brewer and Nash (1989) proposed a policy called the Ethical Wall Policy that addresses such
conflicts of interest. Strictly speaking, this is not an integrity policy, but an access control
confidentiality policy.
Deakin University CRICOS Provider Code: 00113B
The Ethical Wall Policy
Objects – such as files. Objects contain information about only one company.
Company groups – collect all objects concerning a company.
Conflict classes – cluster the groups of objects for competing companies.
For example, consider the following conflict classes:
• {Ford, Chrysler, GM}
• {Bank of America, Wells Fargo, Citicorp}
• {Microsoft, Apple}
The security policy builds on three levels of abstraction:
Deakin University CRICOS Provider Code: 00113B
The Ethical Wall Policy
We have a simple access control policy: A subject may access information from any company as
long as that subject has never accessed information from a different company in the same
conflict class.
For example, if you access a file from GM, you subsequently will be blocked from accessing any
files from Ford or Chrysler. You are free to access files from companies in any other conflict class.
Notice that permissions change dynamically. The access rights that any subject enjoys depends on
the history of past accesses.
Deakin University CRICOS Provider Code: 00113B
The Ethical Wall Policy
Formally, the policy restricts access according to the following two properties:
(Ethical Wall) Simple Security Rule: A subject can be granted access to an object only if the object:
• is in the same company datasets as the objects already accessed by the subject, that is, “within the
Wall,” or
• belongs to an entirely different conflict of interest class.
(Ethical Wall) *-property: Write access is only permitted if:
• access is permitted by the simple security rule, and
• no object can be read which is:
• in a different company dataset than the one for which write access is requested,
• and contains unsanitized information.
Deakin University CRICOS Provider Code: 00113B
References and Further Reading
[Chapter 5, 6, and 7] Matt Bishop, Introduction to computer security
Deakin University CRICOS Provider Code: 00113B
Acknowledgement
Acknowledging the kind support and contribution of:
Dr Arash Shaghaghi (Deakin University, Australia), Prof. Chang-Tsun Li (Deakin University, Australia), Prof. Sanjay
Jha (The University of New South Wales, Australia), Dr. Nicolas Courtois (University College London, UK), Dr George
Danezis (University College London, UK), and Dr Michael March (University of Maryland, USA), Dr. Bill Young
(University of Texas at Austin).